Home > Vulnerability Database > CVE-2025-64708

Mend.io Vulnerability Database

CVE-2025-64708

Good to know:

Date: November 19, 2025

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid.

Severity Score

5.8

Related Resources (5)

Url: https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64708

Url: https://github.com/goauthentik/authentik

Url: https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc

Url: https://www.mend.io/vulnerability-database/CVE-2025-64708

Severity Score

5.8

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version https://github.com/goauthentik/authentik.git - version/2025.8.5;https://github.com/goauthentik/authentik.git - version/2025.10.2

Learn More

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64708

Good to know:

Date: November 19, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?