Main Vulnerability Database Vulnerabilities #VU118625

#VU118625 Operation on a Resource after Expiration or Release in authentik - CVE-2025-64708

Published: November 19, 2025

Vulnerability identifier: #VU118625

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-64708

CWE-ID: CWE-672

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
authentik

Software vendor:
Authentik Security Inc

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to authentik considers invitations valid regardless of their expiration date relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. This allows a remote attacker to guess invitation token and gain unauthorized access to the application.

Remediation

Install updates from vendor's website.

External links

https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc

#VU118625 Operation on a Resource after Expiration or Release in authentik - CVE-2025-64708

Description

Remediation

External links

Please verify you're human