CVE-2022-45292 is a medium-severity vulnerability affecting Funkwhale version 1.2.8, an open-source, self-hosted music server platform. The issue arises from the way user invitation links are managed. Specifically, user invites do not permanently expire after being used for signup. Instead, these invitation links remain valid and can be reused even after the initially created account has been deleted. This behavior is due to improper invalidation of invitation tokens post-account deletion, which corresponds to CWE-672 (Operation on a Resource After Expiration or Release). The vulnerability allows an attacker who obtains a previously used invite link to reuse it to create additional accounts without restriction. The CVSS 3.1 base score is 5.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). The integrity impact is low because unauthorized account creation could lead to unauthorized access or manipulation of user-related data or functionality within the Funkwhale instance. Since Funkwhale is often deployed by organizations or individuals to manage and share audio content internally or publicly, unauthorized account creation could lead to abuse of resources, unauthorized content uploads, or potential privilege escalation if combined with other vulnerabilities. No known exploits are reported in the wild, and no official patches or vendor advisories are linked, suggesting this is a recently disclosed issue requiring attention from administrators of Funkwhale instances.

For European organizations using Funkwhale, this vulnerability could lead to unauthorized account creation, enabling attackers to gain persistent access to the platform. This could result in misuse of storage and bandwidth resources, unauthorized content uploads or sharing, and potential reputational damage if malicious content is distributed. While the direct confidentiality impact is minimal, the integrity of the platform's user management and content could be compromised. Organizations relying on Funkwhale for internal collaboration or public-facing services may face operational disruptions or increased administrative overhead to manage unauthorized accounts. In regulated sectors, improper access controls could raise compliance concerns, especially under GDPR if personal data is involved. The vulnerability's ease of exploitation (no privileges or user interaction required) increases the risk of automated abuse or mass account creation attacks, which could be leveraged as a foothold for further attacks if combined with other vulnerabilities or misconfigurations.

Administrators of Funkwhale instances should implement the following specific mitigations: 1) Immediately audit existing user invitation links and revoke or invalidate any previously used invites to prevent reuse. 2) Implement custom logic or scripts to track and permanently expire invitation tokens once used, ensuring they cannot be reused after account deletion. 3) Restrict the generation of invitation links to trusted administrators and limit the number of active invites at any time. 4) Monitor account creation logs for unusual patterns indicative of abuse, such as multiple accounts created from the same invite link or IP address. 5) If possible, upgrade to a Funkwhale version where this issue is fixed or apply community patches addressing invite token invalidation. 6) Employ additional access controls such as CAPTCHA or email verification to reduce automated account creation. 7) Regularly review and harden user management policies to minimize the impact of unauthorized accounts. These steps go beyond generic advice by focusing on invitation token lifecycle management and proactive monitoring tailored to this specific vulnerability.