security: fix oobe-flow reuse when akadmin is deleted (#7361)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

website/docs/releases/2023/v2023.10.md

@@ -127,6 +127,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
 
 ## Fixed in 2023.10.2
 
+-   \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
 -   blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
 -   crypto: fix race conditions when creating self-signed certificates on startup (#7344)
 -   lifecycle: rework otp_merge migration (#7359)

website/docs/security/GHSA-rjvp-29xq-f62w.md

@@ -0,0 +1,27 @@
+# GHSA-rjvp-29xq-f62w
+
+_Reported by [@devSparkle](https://github.com/devSparkle)_
+
+## Potential Installation takeover when default admin user is deleted
+
+### Summary
+
+In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication.
+
+### Patches
+
+authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used.
+
+### Impact
+
+authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again.
+
+### Workarounds
+
+Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)