CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

24 matches found

OSV•added 2026/04/16 11:36 p.m.•2 views

BIT-AUTHENTIK-2025-64708 authentik invitation expiry is delayed by at least 5 minutes

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5...

5.8CVSS7.2AI score0.00047EPSS

Exploits0References3

SUSE CVE•added 2026/01/06 12:25 a.m.•4 views

SUSE CVE-2025-64521

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even...

4.8CVSS7AI score0.00035EPSS

Exploits0References2

SUSE CVE•added 2026/01/06 12:25 a.m.•5 views

SUSE CVE-2025-64708

5.8CVSS6.8AI score0.00047EPSS

Exploits0References2

RedhatCVE•added 2025/11/20 9:37 p.m.•5 views

CVE-2025-64521

4.8CVSS6.9AI score0.00035EPSS

Exploits0References1

Github Security Blog•added 2025/11/19 6:47 p.m.•4 views

authentik's invitation expiry is delayed by at least 5 minutes

Summary In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes...

5.8CVSS6.9AI score0.00047EPSS

Exploits0References4Affected Software1

OSV•added 2025/11/19 6:47 p.m.•1 views

GHSA-CH7Q-53V8-73PC authentik's invitation expiry is delayed by at least 5 minutes

5.8CVSS6.8AI score0.00047EPSS

Exploits0References4

Github Security Blog•added 2025/11/19 6:13 p.m.•6 views

authentik allows a deactivated Service account to authenticate to OAuth

Summary When authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and...

4.8CVSS7.1AI score0.00035EPSS

Exploits0References4Affected Software1

OSV•added 2025/11/19 6:13 p.m.•4 views

GHSA-XR73-JQ5P-CH8R authentik allows a deactivated Service account to authenticate to OAuth

4.8CVSS7AI score0.00035EPSS

Exploits0References4

NVD•added 2025/11/19 5:15 p.m.•2 views

CVE-2025-64521

4.8CVSS0.00035EPSS

Exploits0References2

Cvelist•added 2025/11/19 5:3 p.m.•6 views

CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes

5.8CVSS0.00047EPSS

Exploits0References2

Vulnrichment•added 2025/11/19 5:3 p.m.•1 views

CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes

5.8CVSS6.4AI score0.00047EPSS

Exploits0References2

CVE•added 2025/11/19 5:3 p.m.•14 views

CVE-2025-64708

The vulnerability CVE-2025-64708 affects authentik (open-source Identity Provider). Prior to versions 2025.8.5 and 2025.10.2, invitations remained valid despite expiration, relying on background cleanup every 5 minutes. In normal operation this cleanup can take up to 5 minutes, but with a large b...

5.8CVSS6.3AI score0.00047EPSS

Exploits0References2Affected Software1

OSV•added 2025/11/19 5:3 p.m.•2 views

CVE-2025-64708 authentik invitation expiry is delayed by at least 5 minutes

5.8CVSS6.7AI score0.00047EPSS

Exploits0References4

CVE•added 2025/11/19 5:3 p.m.•5 views

CVE-2025-64521

CVE-2025-64521 affects authentik, an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, authenticating to an OAuth provider with client_id/client_secret could create a service account for the provider, and that account could be used even if deactivated. The issue was fixed i...

4.8CVSS6.5AI score0.00035EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2025/11/19 5:3 p.m.•2 views

CVE-2025-64521 authentik deactivated service accounts can authenticate to OAuth

4.8CVSS6.5AI score0.00035EPSS

Exploits0References2

CNNVD•added 2025/11/19 12:0 a.m.•2 views

authentik 代码问题漏洞

authentik is an open source identity provisioning application from authentik open source. A code issue vulnerability exists in authentik versions prior to 2025.8.5 and prior to 2025.10.2, which stems from invitations being treated as valid even after they have expired, which could lead to...

5.8CVSS6.6AI score0.00047EPSS

Exploits0References3

Positive Technologies•added 2025/11/19 12:0 a.m.•3 views

PT-2025-47495

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.8.5 authentik versions prior to 2025.10.2 Description authentik, an open-source Identity Provider, had a flaw where invitations remained valid even after expiration. This relied on background tasks to remove...

9.9CVSS6.4AI score0.17737EPSS

Exploits32References92

CNNVD•added 2025/11/19 12:0 a.m.•3 views

authentik 安全漏洞

authentik is an open source identity provisioning application from authentik Open Source. A security vulnerability exists in authentik versions prior to 2025.8.5 and prior to 2025.10.2, which stems from a service account that can still be authenticated after deactivation, potentially leading to...

4.8CVSS6.3AI score0.00035EPSS

Exploits0References3

RedhatCVE•added 2025/10/15 3:47 p.m.•2 views

CVE-2025-62172

Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name fiel...

9.3CVSS6.5AI score0.00015EPSS

Exploits0References1