CVE-2022-46145

CRITICAL9.8EPSS 2.0%

authentik vulnerable to unauthorized user creation and potential account takeover

發布日:2026/4/16修改日:2026/4/17

描述

authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.

受影響套件(1)

Bitnami/authentikfrom 0, < 2022.10.2, >= 2022.11.0, < 2022.11.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

WEBhttps://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf
WEBhttps://goauthentik.io/docs/releases/2022.10#fixed-in-2022102
WEBhttps://goauthentik.io/docs/releases/2022.11#fixed-in-2022112
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-46145