Improper access control in authentik - CVE-2022-46145

 

Improper access control in authentik - CVE-2022-46145

Published: December 2, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU127146
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-46145
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Authentik Security Inc
Affected software:
authentik

Detailed vulnerability description

The vulnerability allows a remote attacker to create unauthorized accounts and potentially take over accounts.

The vulnerability exists due to improper access control in the default user settings flow when handling account creation and email-verified password recovery flows. A remote attacker can create a new account and overwrite the email address of an admin account to create unauthorized accounts and potentially take over accounts.

Account takeover is possible if a flow exists that allows email-verified password recovery.


How to mitigate CVE-2022-46145

Install security update from vendor's website.

Sources