Main Vulnerability Database Vulnerabilities #VU127145

Improper access control in authentik - CVE-2022-46172

Published: December 23, 2022 / Updated: April 23, 2026

Vulnerability identifier: #VU127145

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-46172

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
authentik

Software vendor:
Authentik Security Inc

Description

The vulnerability allows a remote user to create arbitrary accounts.

The vulnerability exists due to improper access control in the default-user-settings-flow endpoint when handling requests to execute the user settings flow. A remote user can send a request to the flow execution endpoint to create arbitrary accounts.

Exploitation requires an existing authenticated user session and does not work for unauthenticated requests.

Remediation

Install security update from vendor's website.

External links

https://github.com/goauthentik/authentik/security/advisories/GHSA-hv8r-6w7p-mpc5

Improper access control in authentik - CVE-2022-46172

Description

Remediation

External links

Please verify you're human