How to fix CVE-2025-64521?

During next maintenance window: Identify affected systems running previous authentik and apply vendor patches when convenient. Vendor patch is available.

Is Authentik affected by CVE-2025-64521?

Organizations using previous authentik should be aware of moderate risk from CVE-2025-64521 rated CVSS 4.8. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-64521

MEDIUM

2025-11-19 [email protected]

4.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

Patch Released

Mar 28, 2026 - 19:23 nvd

Patch available

CVE Published

Nov 19, 2025 - 17:15 nvd

MEDIUM 4.8

Description

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not.

Analysis

authentik is an open-source Identity Provider. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

Technical Context

This vulnerability is classified under CWE-289. authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not. Affected products include: Goauthentik Authentik.

Affected Products

Goauthentik Authentik.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +24

POC: 0

Vendor Status

CVE-2025-64521 vulnerability details – vuln.today

Back

CVE-2025-64521

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-64521

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code