Name of the Vulnerable Software and Affected Versions: authentik versions prior to 2025.4.4 authentik versions 2025.6.0-rc1 through 2025.6.3 Description: Deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can retain partial access to the system despite their accounts being deactivated. These users enter a half-authenticated state where they cannot access the API but can authorize applications if they know the application URL. Recommendations: For versions prior to 2025.4.4, add an expression policy to the user login stage on the respective authentication flow with the expression: return request.context["pending user"].is active. For versions 2025.6.0-rc1 through 2025.6.3, add an expression policy to the user login stage on the respective authentication flow with the expression: return request.context["pending user"].is…Read More
PT-2025-30439 · Authentik · Authentik
