Sdimovv

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2022.11.2 authentik versions prior to 2022.10.2 **Description** authentik is an open-source identity provider. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. **Recommendations** As a temporary workaround for versions prior to 2022.11.2 and 2022.10.2, consider creating a policy and binding it to the `default-user-settings-flow` flow with the contents `return request.user.is authenticated`. Update to version 2022.11.2 or later to fix the issue. Update to version 2022.10.2 or later to fix the issue.