authentik OAuth/SAML User Deactivation Bypass Vulnerability

A vulnerability exists in authentik, an open-source Identity Provider, allowing deactivated users who registered through or linked to OAuth/SAML providers to retain partial system access. Affected versions include 2025.4.4 and earlier, as well as 2025.6.0-rc1 through 2025.6.3. These users enter a half-authenticated state where they cannot access the API but can authorize applications if they know the application's URL. This issue arises from insufficient checks on account active status during authentication with OAuth/SAML sources.

Impact

Exploitation of this vulnerability allows deactivated users to authorize applications, potentially leading to unauthorized access or actions within those applications.

Reproduction

To reproduce this vulnerability, deactivate a user who has registered through OAuth/SAML or linked their account to an OAuth/SAML provider. Then, attempt to authorize an application using that deactivated account, which should be possible if the application's URL is known.

Remediation

Users can upgrade to authentik versions 2025.4.4 or 2025.6.4, both of which address this vulnerability. Additionally, an expression policy can be added to the user login stage of the relevant authentication flow to ensure that only active users are allowed to log in.