BIT-authentik-2022-46145

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2022-46145.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-authentik-2022-46145

Aliases

CVE-2022-46145
GHSA-mjfw-54m5-fvjf

Published

2026-04-16T23:35:59.036Z

Modified

2026-04-17T04:56:57.765727584Z

Summary

authentik vulnerable to unauthorized user creation and potential account takeover

Details

authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the default-user-settings-flow flow with the contents return request.user.is_authenticated.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / authentik

Package

Name: authentik
Purl: pkg:bitnami/authentik

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2022.10.2

Introduced

2022.11.0

Fixed

2022.11.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/authentik/BIT-authentik-2022-46145.json"