PYSEC-2025-237

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/authentik-client/PYSEC-2025-237.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2025-237
Aliases
Published
2025-11-19T17:15:52.033Z
Modified
2026-07-13T07:26:54.452545220Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not.

References

Affected packages

PyPI / authentik-client

Package

Name
authentik-client
View open source insights on deps.dev
Purl
pkg:pypi/authentik-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2025.8.0
Fixed
2025.8.5
Introduced
2025.10.0
Fixed
2025.10.2

Affected versions

2025.*
2025.8.0
2025.8.1
2025.8.2
2025.8.3
2025.8.4
2025.10.0
2025.10.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/authentik-client/PYSEC-2025-237.yaml"