Main Vulnerability Database SB2022120249

SB2022120249 - Improper access control in authentik

Published: December 2, 2022 Updated: April 23, 2026

Security Bulletin ID SB2022120249

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2022-46145)

The vulnerability allows a remote attacker to create unauthorized accounts and potentially take over accounts.

The vulnerability exists due to improper access control in the default user settings flow when handling account creation and email-verified password recovery flows. A remote attacker can create a new account and overwrite the email address of an admin account to create unauthorized accounts and potentially take over accounts.

Account takeover is possible if a flow exists that allows email-verified password recovery.

Remediation

Install update from vendor's website.

References

https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf