Improper Privilege Management
CVE-2025-53942
Summary
The package authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions through 2025.4.3, and 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of `return request.context["pending_user"].is_active`. This modification ensures that the return statement only activates the user login stage when the user is active.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-269 - Improper Privilege Management
An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.
References
Advisory Timeline
- Published
