Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources

链接： https://github.com/advisories/GHSA-9g4j-v8w5-7x42

仓库 Star： 17372

参考链接：

• https://github.com/goauthentik/authentik/security/advisories/GHSA-9g4j-v8w5-7x42

• https://github.com/goauthentik/authentik/commit/7a4c6b9b50f8b837133a7a1fd2cb9b7f18a145cd

• https://github.com/goauthentik/authentik/commit/c3629d12bfe3d32d3dc8f85c0ee1f087a55dde8f

• https://github.com/goauthentik/authentik/commit/ce3f9e3763c1778bf3a16b98c95d10f4091436ab

• https://github.com/advisories/GHSA-9g4j-v8w5-7x42

描述：

Summary

Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.

Patches

authentik 2025.4.4 and 2025.6.4 fix this issue.

Workarounds

Adding an expression policy to the user login stage on the respective authentication flow with the expression of

return request.context["pending_user"].is_active

This expression will only activate the user login stage when the user is active.

For more information

If you have any questions or comments about this advisory:

• Email us at security@goauthentik.io.