CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-53942
7.40.07%

The Ghost in the Machine: Deactivated Users Haunt authentik's OAuth/SAML Flows

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·12 min read·18 visits

PoC Available

Executive Summary (TL;DR)

Deactivated users in authentik aren't really gone. A missing check allows them to continue authorizing applications via OAuth/SAML if they have the direct link. This turns account deactivation into security theater, allowing ex-employees or disabled accounts to waltz back in through the side door.

A critical privilege management flaw exists in authentik, a popular open-source Identity Provider. The vulnerability, CVE-2025-53942, stems from an insufficient check on the 'active' status of a user account during OAuth and SAML authentication flows. This oversight allows users who have been deactivated to retain access to downstream applications, effectively turning them into 'ghost' users who can bypass administrative controls and maintain a persistent foothold in the environment.

Technical Appendix

CVSS Score
7.4/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Probability
0.07%
Top 100% most exploited

Affected Systems

authentik Identity Provider

Affected Versions Detail

Product
Affected Versions
Fixed Version
authentik
authentik Security
<= 2025.4.32025.4.4
authentik
authentik Security
>= 2025.6.0-rc1, < 2025.6.42025.6.4
AttributeDetail
CWE IDCWE-269
CWE NameImproper Privilege Management
Attack VectorNetwork
CVSS Score7.4 (High)
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score0.07% (Probability of exploitation is low)
ImpactUnauthorized Access, Information Disclosure, Privilege Persistence
Exploit StatusProof of Concept / Theoretical

MITRE ATT&CK Mapping

T1078Valid Accounts
Persistence
T1078.004Cloud Accounts
Initial Access
T1550Use Alternate Authentication Material
Defense Evasion
CWE-269
Improper Privilege Management

The software does not properly assign, check, track, or revoke privileges or permissions for an actor, creating an unintended sphere of control.

Vulnerability Timeline

Vulnerability discovered by an independent researcher.
2025-05-10
Vendor (authentik Security) privately notified.
2025-05-12
Patches developed and tested.
2025-06-20
Patched versions 2025.4.4 and 2025.6.4 released. Public disclosure and CVE published.
2025-06-25

References & Sources

  • [1]NVD - CVE-2025-53942
  • [2]MITRE - CWE-269: Improper Privilege Management

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.