CVE-2022-23555

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2022.11.4 authentik versions prior to 2022.10.4

Description The issue concerns token reuse in invitation URLs, leading to access control bypass via the use of a different enrollment flow than the one provided. An attacker who knows different invitation flows names, such as enrollment-invitation-test and enrollment-invitation-admin, can signup via a single invitation URL for any valid invite link received. This is possible because the token used in the Invitations section of the Admin interface does not change when a different enrollment flow is selected, and it is not bound to the selected flow. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration and configurations with a single enrollment flow are not vulnerable.

Recommendations For versions prior to 2022.11.4, update to version 2022.11.4 or later. For versions prior to 2022.10.4, update to version 2022.10.4 or later. As a temporary workaround, consider adding fixed data to invitations that can be checked in the flow to deny requests. Alternatively, use an identifier with high entropy, such as a UUID, as a flow slug to mitigate the attack vector by exponentially decreasing the possibility of discovering other flows.