CVE-2022-46145
CVE-2022-46145 is a high-severity vulnerability in Goauthentik Authentik with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-306.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 1% (64th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-306
- Affected product: Goauthentik Authentik
- Published:
- Last modified:
Description
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
Frequently asked questions
- What is CVE-2022-46145?
- authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
- How severe is CVE-2022-46145?
- CVE-2022-46145 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-46145 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (64th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-46145?
- CVE-2022-46145 affects Goauthentik Authentik. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-46145?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-46145 published?
- CVE-2022-46145 was published on 2022-12-02 and last updated on 2026-06-17.
References
- https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjf
- https://goauthentik.io/docs/releases/2022.10#fixed-in-2022102
- https://goauthentik.io/docs/releases/2022.11#fixed-in-2022112
Affected products (1)
- cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*
More vulnerabilities in Goauthentik Authentik
- CVE-2026-49448 — Critical (CVSS 9.8): authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage…
- CVE-2024-52289 — Critical (CVSS 9.8): authentik is an open-source identity provider. Redirect URIs in the OAuth2 provider in authentik are checked by RegEx…
- CVE-2025-52553 — Critical (CVSS 9.6): authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token…
- CVE-2023-46249 — Critical (CVSS 9.6): authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user…
- CVE-2022-23555 — Critical (CVSS 9.4): authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and…
- CVE-2026-42849 — Critical (CVSS 9.3): authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of…
All CVEs affecting Goauthentik Authentik →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →