security: fix CVE-2025-53942 (#15719)

Signed-off-by: Jens Langhammer <[email protected]>
# Conflicts:
#	authentik/stages/user_login/stage.py
#	authentik/stages/user_login/tests.py
#	website/docs/sidebar.mjs

Author: BeryJu

authentik/core/middleware.py

@@ -5,6 +5,7 @@
 from functools import partial
 from uuid import uuid4
 
+from django.contrib.auth import logout
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
@@ -58,6 +59,11 @@ def process_request(self, request):
         request.user = SimpleLazyObject(lambda: get_user(request))
         request.auser = partial(aget_user, request)
 
+        user = request.user
+        if user and user.is_authenticated and not user.is_active:
+            logout(request)
+            raise AssertionError()
+
 
 class ImpersonateMiddleware:
     """Middleware to impersonate users"""

authentik/stages/password/tests.py

@@ -89,6 +89,29 @@ def test_valid_password(self):
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
 
+    def test_valid_password_inactive(self):
+        """Test with a valid pending user and valid password"""
+        self.user.is_active = False
+        self.user.save()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            # Form data
+            {"password": self.user.username},
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            self.flow,
+            response_errors={"password": [{"string": "Invalid password", "code": "invalid"}]},
+        )
+
     def test_invalid_password(self):
         """Test with a valid pending user and invalid password"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])

authentik/stages/user_login/stage.py

@@ -91,6 +91,7 @@ def do_login(self, request: HttpRequest, remember: bool = False) -> HttpResponse
         user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         if not user.is_active:
             self.logger.warning("User is not active, login will not work.")
+            return self.executor.stage_invalid()
         delta = self.set_session_duration(remember)
         self.set_session_ip()
         # the `user_logged_in` signal will update the user to write the `last_login` field

authentik/stages/user_login/tests.py

@@ -6,6 +6,7 @@
 from django.urls import reverse
 from django.utils.timezone import now
 
+from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
@@ -174,6 +175,7 @@ def test_without_user(self):
             component="ak-stage-access-denied",
         )
 
+    @apply_blueprint("default/flow-default-user-settings-flow.yaml")
     def test_inactive_account(self):
         """Test with a valid pending user and backend"""
         self.user.is_active = False
@@ -187,8 +189,25 @@ def test_inactive_account(self):
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         )
-
         self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertStageResponse(
+            response, self.flow, component="ak-stage-access-denied", error_message="Unknown error"
+        )
+
+        # Check that API requests get rejected
         response = self.client.get(reverse("authentik_api:application-list"))
         self.assertEqual(response.status_code, 403)
+
+        # Check that flow requests requiring a user also get rejected
+        response = self.client.get(
+            reverse(
+                "authentik_api:flow-executor",
+                kwargs={"flow_slug": "default-user-settings-flow"},
+            )
+        )
+        self.assertStageResponse(
+            response,
+            self.flow,
+            component="ak-stage-access-denied",
+            error_message="Flow does not apply to current user.",
+        )

website/docs/security/cves/CVE-2025-53942.md

@@ -0,0 +1,29 @@
+# CVE-2025-53942
+
+_Reported by [@pascalwei](https://github.com/pascalwei)_
+
+## Insufficient check for account active status when authenticating with OAuth/SAML Sources
+
+### Summary
+
+Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application.
+
+### Patches
+
+authentik 2025.4.4 and 2025.6.4 fix this issue.
+
+### Workarounds
+
+Adding an expression policy to the user login stage on the respective authentication flow with the expression of
+
+```py
+return request.context["pending_user"].is_active
+```
+
+This expression will only activate the user login stage when the user is active.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [[email protected]](mailto:[email protected]).

website/sidebars.js

@@ -716,7 +716,11 @@ export default {
                         {
                             type: "category",
                             label: "2025",
-                            items: ["security/cves/CVE-2025-52553", "security/cves/CVE-2025-29928"],
+                            items: [
+                                "security/cves/CVE-2025-53942",
+                                "security/cves/CVE-2025-52553",
+                                "security/cves/CVE-2025-29928",
+                            ],
                         },
                         {
                             type: "category",