SCA: security update for goauthentik.io (GHSA-xr73-jq5p-ch8r)

medium Tenable Self-Hosted Container Security Plugin ID 436107

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when
authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account
for the provider. In previous authentik versions, authentication for this account was possible even when
the account was deactivated. Other permissions are correctly applied and federation with other providers
still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this
issue. A workaround involves adding a policy to the application that explicitly checks if the service
account is still valid, and deny access if not. (CVE-2025-64521)

See Also

https://github.com/advisories/GHSA-xr73-jq5p-ch8r

Plugin Details

Severity: Medium

ID: 436107

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 11/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.39

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

CVSS Score Source: CVE-2025-64521

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/19/2025

Vulnerability Publication Date: 11/19/2025

Reference Information

CVE: CVE-2025-64521