# CVE-2022-46145

_Reported by [@sdimovv](https://github.com/sdimovv)_

## Unauthorized user creation and potential account takeover

### Impact

With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts

### Patches

authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.

### Workarounds

A policy can be created and bound to the `default-user-settings-flow` flow with the following contents

```python
return request.user.is_authenticated
```