Security Advisory: Not Invited User able to register if Invitation flow is configured

Last modified 09 Feb 2024 14:12 +01:00

Date: 29. 01. 2024

Severity: High (CVSS 8.0)

Affected versions: 4.8

Fixed in versions: 4.8.1


If the invitation registration is was configured along with custom registration form or object template which generated name property, user which was not invited was able to register even without invitation email.

Severity and Impact

This is High Severity Issue

The invitation feature is turned off by default, only specific configuration combination (invitation flow and custom form with name property) is needed to expose this vulnerability.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release 4.8.1.

In the meantime users are advised to disable invitation registration or remove name property from custom registration form.

Was this page helpful?
Thanks for your feedback