CVE-2022-46172

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2022.10.4 authentik versions prior to 2022.11.4

Description The issue allows any authenticated user to create an arbitrary number of accounts through the default flows, which can circumvent policies where it is undesirable for users to create new accounts by themselves. This may affect other applications as the new basic accounts would exist throughout the SSO infrastructure. By default, the newly created accounts cannot be logged into as no password reset exists by default, but password resets are likely to be enabled by most installations. The issue pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/.

Recommendations For versions prior to 2022.10.4, update to version 2022.10.4 or later. For versions prior to 2022.11.4, update to version 2022.11.4 or later.