authentik/website/docs/security/CVE-2022-46145.md

# CVE-2022-46145

_Reported by [@sdimovv](https://github.com/sdimovv)_

## Unauthorized user creation and potential account takeover

### Impact

With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts

### Patches

authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.

### Workarounds

A policy can be created and bound to the `default-user-settings-flow` flow with the following contents

```python
return request.user.is_authenticated
```
security: fix CVE 2022 46145 (#4140) * add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-12-02 15:14:25 +00:00			`# CVE-2022-46145`

website: link CVE and attribute reporter Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-12-25 13:17:17 +00:00			`_Reported by [@sdimovv](https://github.com/sdimovv)_`

security: fix CVE 2022 46145 (#4140) * add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-12-02 15:14:25 +00:00			`## Unauthorized user creation and potential account takeover`

			`### Impact`

			`With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts`

			`### Patches`

			`authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.`

			`### Workarounds`

			A policy can be created and bound to the `default-user-settings-flow` flow with the following contents

			```python
			`return request.user.is_authenticated`
			```