CVE-2025-64708 Overview
CVE-2025-64708 affects authentik, an open-source Identity Provider used for single sign-on and access management. The vulnerability exists in the invitation flow, where expired invitations remained valid until a background cleanup task removed them. This cleanup task runs every 5 minutes under normal conditions, but backlogged task queues can extend that window significantly. During this window, attackers holding an expired invitation token can still complete registration flows tied to that invitation. The issue is fixed in authentik versions 2025.8.5 and 2025.10.2. This weakness is classified as [CWE-613] Insufficient Session Expiration.
Critical Impact
Expired invitation tokens can be redeemed after their intended expiration, allowing unauthorized enrollment through invitation-based flows until backend cleanup executes.
Affected Products
- authentik versions prior to 2025.8.5
- authentik versions prior to 2025.10.2
- goauthentik authentik (all releases before the fixed versions)
Discovery Timeline
- 2025-11-19 - CVE-2025-64708 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64708
Vulnerability Analysis
The invitation stage in authentik retrieved invitation objects by primary key without checking the expiration timestamp at redemption time. The application relied on a scheduled housekeeping task to purge expired invitation records from the database. Any invitation still present in the database was accepted as valid, regardless of its expires field. When the Celery task backlog grew, expired records persisted well beyond the intended 5-minute cleanup interval. This design choice created a gap between the logical expiration of an invitation and its practical revocation.
Root Cause
The root cause is a missing expiration check in the invitation lookup query. In authentik/stages/invitation/stage.py, the code invoked Invitation.objects.filter(pk=token).first(), which returned any matching record irrespective of expiration state. Validation of the expires attribute was delegated entirely to asynchronous cleanup jobs rather than enforced at the point of use.
Attack Vector
An attacker who obtains an invitation token — for example, through interception, an accidentally shared link, or a leaked email — can present it to the invitation flow after its intended validity window. The request is served over the network without authentication, matching the network attack vector characteristics of this issue. Successful redemption allows the attacker to complete whatever enrollment or account-linking action the invitation authorized.
if not token:
return None
try:
- invite: Invitation = Invitation.objects.filter(pk=token).first()
+ invite: Invitation | None = Invitation.filter_not_expired(pk=token).first()
except ValidationError:
self.logger.debug("invalid invitation", token=token)
return None
Source: GitHub commit 6672e6a. The patch replaces the unfiltered objects.filter call with Invitation.filter_not_expired, enforcing the expiration check at query time.
Detection Methods for CVE-2025-64708
Indicators of Compromise
- Successful invitation redemptions where the invitation expires timestamp precedes the enrollment event.
- User accounts created through invitation flows during periods when the Celery cleanup queue was backlogged.
- Repeated invitation-stage requests referencing tokens older than the configured expiration window.
Detection Strategies
- Query authentik audit logs for invitation_used events and cross-reference each event against the corresponding invitation's expires field.
- Alert on any enrollment flow completion tied to an invitation record whose expiration predates the flow execution timestamp.
- Monitor Celery worker queue depth and task age to identify windows where expired records could linger.
Monitoring Recommendations
- Ingest authentik event logs into a centralized log platform and build correlation rules linking invitation creation, expiration, and redemption events.
- Track new user provisioning volume through invitation flows and alert on statistically abnormal spikes.
- Review administrative flows that use invitation stages and confirm they emit sufficient telemetry for post-incident review.
How to Mitigate CVE-2025-64708
Immediate Actions Required
- Upgrade authentik to version 2025.8.5 or 2025.10.2 or later without delay.
- Audit existing invitations and revoke any that are outstanding, expired, or otherwise unaccounted for.
- Review recent account creations through invitation flows for evidence of expired-token redemption.
Patch Information
The fix is delivered in authentik 2025.8.5 and 2025.10.2. Details are documented in the GitHub Security Advisory GHSA-ch7q-53v8-73pc and implemented in commit 6672e6a. The change enforces expiration checks at invitation lookup rather than relying on background cleanup.
Workarounds
- Create an authentik expression policy that evaluates whether the invitation is still within its validity window.
- Bind the policy to the invitation stage on the invitation flow so it executes at redemption time.
- Configure the policy to deny access when the invitation is expired, closing the gap until upgrade.
# Example expression policy body to bind on the invitation stage
return request.context.get('invitation') is not None and \
not request.context['invitation'].is_expired
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

