authentik Invitation Expiry Validation Vulnerability

A vulnerability exists in authentik, an open-source Identity Provider, in versions prior to 2025.8.5 and 2025.10.2. Invitations were incorrectly treated as valid regardless of their expiration status, relying on background tasks to remove expired invitations. This cleanup process is scheduled to occur every five minutes, but can take longer if there is a backlog of tasks. The issue has been addressed in authentik versions 2025.8.5 and 2025.10.2.

Impact

Exploitation of this vulnerability could lead to unauthorized access via expired invitations, as the system does not properly validate the invitation's validity before allowing access.

Reproduction

To reproduce this vulnerability, create an invitation and do not expire it. Then, access the invitation flow. The system will accept the invitation as valid, even if it has expired, due to the lack of proper validation. This can be tested by creating a policy that checks the invitation's validity and binding it to the invitation stage, which should deny access for invalid invitations.

Remediation

Users can upgrade to authentik versions 2025.8.5 or 2025.10.2, where this issue is fixed. For versions that do not have this patch, a policy can be created to check the validity of invitations, which can then be applied to the invitation stage of the invitation flow to deny access if the invitation is expired.