Security Advisory: Not Invited User able to register if Invitation flow is configured

If the invitation registration is was configured along with custom registration form or object template which generated name property, user which was not invited was able to register even without invitation email.

This is High Severity Issue

The invitation feature is turned off by default, only specific configuration combination (invitation flow and custom form with name property) is needed to expose this vulnerability.

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release 4.8.1.

In the meantime users are advised to disable invitation registration or remove name property from custom registration form.