website/docs/security/cves/CVE-2025-53942.md
Reported by @pascalwei
Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.
authentik 2025.4.4 and 2025.6.4 fix this issue.
Adding an expression policy to the user login stage on the respective authentication flow with the expression of
return request.context["pending_user"].is_active
This expression will only activate the user login stage when the user is active.
If you have any questions or comments about this advisory: