Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64708

CVE-2025-64708: Goauthentik Authentik Auth Bypass Flaw

CVE-2025-64708 is an authentication bypass vulnerability in Goauthentik Authentik that allows expired invitations to remain valid. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-64708 Overview

CVE-2025-64708 affects authentik, an open-source Identity Provider used for single sign-on and access management. The vulnerability exists in the invitation flow, where expired invitations remained valid until a background cleanup task removed them. This cleanup task runs every 5 minutes under normal conditions, but backlogged task queues can extend that window significantly. During this window, attackers holding an expired invitation token can still complete registration flows tied to that invitation. The issue is fixed in authentik versions 2025.8.5 and 2025.10.2. This weakness is classified as [CWE-613] Insufficient Session Expiration.

Critical Impact

Expired invitation tokens can be redeemed after their intended expiration, allowing unauthorized enrollment through invitation-based flows until backend cleanup executes.

Affected Products

  • authentik versions prior to 2025.8.5
  • authentik versions prior to 2025.10.2
  • goauthentik authentik (all releases before the fixed versions)

Discovery Timeline

  • 2025-11-19 - CVE-2025-64708 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64708

Vulnerability Analysis

The invitation stage in authentik retrieved invitation objects by primary key without checking the expiration timestamp at redemption time. The application relied on a scheduled housekeeping task to purge expired invitation records from the database. Any invitation still present in the database was accepted as valid, regardless of its expires field. When the Celery task backlog grew, expired records persisted well beyond the intended 5-minute cleanup interval. This design choice created a gap between the logical expiration of an invitation and its practical revocation.

Root Cause

The root cause is a missing expiration check in the invitation lookup query. In authentik/stages/invitation/stage.py, the code invoked Invitation.objects.filter(pk=token).first(), which returned any matching record irrespective of expiration state. Validation of the expires attribute was delegated entirely to asynchronous cleanup jobs rather than enforced at the point of use.

Attack Vector

An attacker who obtains an invitation token — for example, through interception, an accidentally shared link, or a leaked email — can present it to the invitation flow after its intended validity window. The request is served over the network without authentication, matching the network attack vector characteristics of this issue. Successful redemption allows the attacker to complete whatever enrollment or account-linking action the invitation authorized.

python
         if not token:
             return None
         try:
-            invite: Invitation = Invitation.objects.filter(pk=token).first()
+            invite: Invitation | None = Invitation.filter_not_expired(pk=token).first()
         except ValidationError:
             self.logger.debug("invalid invitation", token=token)
             return None

Source: GitHub commit 6672e6a. The patch replaces the unfiltered objects.filter call with Invitation.filter_not_expired, enforcing the expiration check at query time.

Detection Methods for CVE-2025-64708

Indicators of Compromise

  • Successful invitation redemptions where the invitation expires timestamp precedes the enrollment event.
  • User accounts created through invitation flows during periods when the Celery cleanup queue was backlogged.
  • Repeated invitation-stage requests referencing tokens older than the configured expiration window.

Detection Strategies

  • Query authentik audit logs for invitation_used events and cross-reference each event against the corresponding invitation's expires field.
  • Alert on any enrollment flow completion tied to an invitation record whose expiration predates the flow execution timestamp.
  • Monitor Celery worker queue depth and task age to identify windows where expired records could linger.

Monitoring Recommendations

  • Ingest authentik event logs into a centralized log platform and build correlation rules linking invitation creation, expiration, and redemption events.
  • Track new user provisioning volume through invitation flows and alert on statistically abnormal spikes.
  • Review administrative flows that use invitation stages and confirm they emit sufficient telemetry for post-incident review.

How to Mitigate CVE-2025-64708

Immediate Actions Required

  • Upgrade authentik to version 2025.8.5 or 2025.10.2 or later without delay.
  • Audit existing invitations and revoke any that are outstanding, expired, or otherwise unaccounted for.
  • Review recent account creations through invitation flows for evidence of expired-token redemption.

Patch Information

The fix is delivered in authentik 2025.8.5 and 2025.10.2. Details are documented in the GitHub Security Advisory GHSA-ch7q-53v8-73pc and implemented in commit 6672e6a. The change enforces expiration checks at invitation lookup rather than relying on background cleanup.

Workarounds

  • Create an authentik expression policy that evaluates whether the invitation is still within its validity window.
  • Bind the policy to the invitation stage on the invitation flow so it executes at redemption time.
  • Configure the policy to deny access when the invitation is expired, closing the gap until upgrade.
bash
# Example expression policy body to bind on the invitation stage
return request.context.get('invitation') is not None and \
       not request.context['invitation'].is_expired

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.