The Ghost in the Machine: Deactivated Users Haunt authentik's OAuth/SAML Flows
Jan 1, 2026·12 min read·15 visits
Executive Summary (TL;DR)
Deactivated users in authentik aren't really gone. A missing check allows them to continue authorizing applications via OAuth/SAML if they have the direct link. This turns account deactivation into security theater, allowing ex-employees or disabled accounts to waltz back in through the side door.
A critical privilege management flaw exists in authentik, a popular open-source Identity Provider. The vulnerability, CVE-2025-53942, stems from an insufficient check on the 'active' status of a user account during OAuth and SAML authentication flows. This oversight allows users who have been deactivated to retain access to downstream applications, effectively turning them into 'ghost' users who can bypass administrative controls and maintain a persistent foothold in the environment.
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
authentik authentik Security | <= 2025.4.3 | 2025.4.4 |
authentik authentik Security | >= 2025.6.0-rc1, < 2025.6.4 | 2025.6.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-269 |
| CWE Name | Improper Privilege Management |
| Attack Vector | Network |
| CVSS Score | 7.4 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
| EPSS Score | 0.07% (Probability of exploitation is low) |
| Impact | Unauthorized Access, Information Disclosure, Privilege Persistence |
| Exploit Status | Proof of Concept / Theoretical |
MITRE ATT&CK Mapping
The software does not properly assign, check, track, or revoke privileges or permissions for an actor, creating an unintended sphere of control.
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.