CVE-2025-53942

{"id": "CVE-2025-53942", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-23T21:15:26.777", "references": [{"url": "https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context[\"pending_user\"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4."}, {"lang": "es", "value": "authentik es un proveedor de identidad de c\u00f3digo abierto que prioriza la flexibilidad y la versatilidad, compatible con una amplia gama de protocolos. En las versiones 2025.4.4 y anteriores, as\u00ed como en las versiones 2025.6.0-rc1 a 2025.6.3, los usuarios desactivados que se registraron mediante OAuth/SAML o vincularon sus cuentas a proveedores de OAuth/SAML a\u00fan pueden conservar acceso parcial al sistema a pesar de que sus cuentas est\u00e9n desactivadas. Al final, se encuentran en un estado de autenticaci\u00f3n parcial, donde no pueden acceder a la API, pero, fundamentalmente, pueden autorizar aplicaciones si conocen la URL de la aplicaci\u00f3n. Para solucionar este problema, los desarrolladores pueden agregar una pol\u00edtica de expresi\u00f3n a la etapa de inicio de sesi\u00f3n del usuario en el flujo de autenticaci\u00f3n correspondiente con la expresi\u00f3n `return request.context[\"pending_user\"].is_active`. Esta modificaci\u00f3n garantiza que la declaraci\u00f3n `return` solo active la etapa de inicio de sesi\u00f3n del usuario cuando este est\u00e9 activo. Este problema se solucion\u00f3 en las versiones authentik 2025.4.4 y 2025.6.4."}], "lastModified": "2025-08-21T18:35:27.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B67336A3-1BC2-473D-98B4-FAAC2D013B30", "versionEndExcluding": "2025.4.4"}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "644FC67A-CE30-4952-B9FA-2BE2DC6E9582", "versionEndExcluding": "2025.6.4", "versionStartIncluding": "2025.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}