CVE-2022-46145 is a vulnerability classified under CWE-287 (Improper Authentication) affecting the open-source identity provider software authentik, specifically versions prior to 2022.10.2 and between 2022.11.0 and 2022.11.2. authentik is designed to manage user identities and authentication flows for organizations. The vulnerability arises from the default user creation flows that allow unauthenticated users to create new accounts without proper verification. This flaw enables attackers to register new accounts without authentication, which in itself is a security risk. More critically, if the deployment includes a flow that permits email-verified password recovery, attackers can exploit this mechanism to overwrite the email addresses associated with administrator accounts. By doing so, they can effectively take over these privileged accounts, gaining unauthorized administrative access to the authentik system. This can lead to full compromise of identity management functions, potentially allowing attackers to manipulate authentication policies, user permissions, and access controls across connected systems. The issue was addressed in authentik versions 2022.10.2 and 2022.11.2 by fixing the authentication checks in user creation flows. As an interim mitigation, administrators can create and bind a policy to the 'default-user-settings-flow' that enforces the condition 'return request.user.is_authenticated', effectively preventing unauthenticated user creation. There are no known exploits in the wild reported to date, but the vulnerability's nature makes it a significant risk if left unpatched, especially in environments where authentik is used as a critical identity provider.

For European organizations, the impact of this vulnerability can be substantial. Identity providers like authentik are central to managing user authentication and authorization across enterprise applications and services. Unauthorized creation of user accounts and potential takeover of administrator accounts can lead to severe breaches of confidentiality, integrity, and availability. Attackers gaining admin access could manipulate user permissions, access sensitive data, disrupt authentication services, or pivot to other internal systems. This could result in data breaches, operational disruptions, and compliance violations under regulations such as GDPR. Organizations relying on authentik for single sign-on (SSO) or multi-factor authentication (MFA) could see these security controls undermined, increasing the risk of lateral movement by attackers. The vulnerability's exploitation does not require prior authentication, lowering the barrier for attackers. Given the critical role of identity providers, the threat extends beyond individual organizations to potentially impact supply chains and partner ecosystems within Europe.

Beyond applying the official patches in authentik versions 2022.10.2 or 2022.11.2, European organizations should take the following specific steps: 1) Immediately implement the recommended policy binding to the 'default-user-settings-flow' to enforce authentication on user creation flows, preventing unauthenticated account creation. 2) Audit existing user accounts, especially administrator accounts, for unauthorized changes to email addresses or other credentials, and reset passwords where suspicious activity is detected. 3) Review and restrict password recovery flows to ensure they require strong verification and cannot be abused to overwrite critical account information. 4) Monitor authentik logs for unusual account creation patterns or password recovery requests originating from unknown or suspicious IP addresses. 5) Employ network segmentation and access controls to limit exposure of the authentik service to trusted networks and users only. 6) Educate administrators and security teams about this vulnerability and ensure rapid incident response capabilities are in place. 7) Consider integrating additional identity verification steps or MFA for administrative account changes to reduce risk of takeover. 8) Regularly update authentik and related identity infrastructure components to incorporate security fixes and improvements.