authentik Deactivated Service Account Can Authenticate to OAuth Vulnerability

A vulnerability exists in authentik, an open-source Identity Provider, in versions prior to 2025.8.5 and 2025.10.2. When authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for that provider. In earlier versions, it was possible to authenticate using this account even if it was deactivated. While other permissions are correctly enforced and federation with other providers respects assigned policies, this flaw allows unauthorized access through the deactivated service account.

Impact

Exploitation of this vulnerability allows a deactivated service account to authenticate with an OAuth provider, potentially leading to unauthorized access or actions within the application or service that relies on this OAuth integration.

Reproduction

To reproduce this vulnerability, authenticate with a deactivated service account using client_id and client_secret. The authentication request can be made to an OAuth provider that is integrated with authentik. Despite the account being deactivated, the authentication should succeed, indicating that the vulnerability is present.

Remediation

Users can upgrade to authentik versions 2025.8.5 or 2025.10.2, which address this vulnerability. For versions prior to these, a workaround involves adding a policy to the application that checks the validity of the service account and denies access if it is not active.