Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Older Versions of authentik Allow Unauthorized User Creation
BIT-authentik-2022-46145
CVE-2022-46145
GHSA-mjfw-54m5-fvjf
Summary
Versions of authentik before 2022.11.2 and 2022.10.2 allow anyone to create new accounts without authentication. This could be used to take over admin accounts if email-verified password recovery is enabled. To fix this, update to the latest version or create a policy to require authentication for new accounts.
What to do
- Update authentik to version 2022.11.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | authentik |
>= 2022.11.0, < 2022.11.2 Fix: upgrade to 2022.11.2
|
Original title
authentik vulnerable to unauthorized user creation and potential account takeover
Original description
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026