Main Vulnerability Database Vulnerabilities #VU118625

Operation on a Resource after Expiration or Release in authentik - CVE-2025-64708

Published: November 19, 2025

Vulnerability identifier: #VU118625

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-64708

CWE-ID: CWE-672

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Authentik Security Inc

Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to authentik considers invitations valid regardless of their expiration date relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. This allows a remote attacker to guess invitation token and gain unauthorized access to the application.

How to mitigate CVE-2025-64708

Install updates from vendor's website.

Sources

https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc

Operation on a Resource after Expiration or Release in authentik - CVE-2025-64708

Detailed vulnerability description

How to mitigate CVE-2025-64708

Sources

Please verify you're human