CVE-2024-52871 Overview
CVE-2024-52871 is an authorization bypass vulnerability in Flagsmith, an open-source feature flag and remote configuration platform. Versions prior to 2.134.1 allow attackers to bypass the ALLOW_REGISTRATION_WITHOUT_INVITE setting. Administrators rely on this setting to restrict account creation to invited users only. The flaw lets unauthenticated attackers register accounts even when the setting is explicitly disabled. This undermines the access control posture of Flagsmith deployments that depend on invitation-only onboarding.
Critical Impact
Remote attackers can create accounts on Flagsmith instances that should be closed to public registration, exposing the platform to unauthorized access.
Affected Products
- Flagsmith versions prior to 2.134.1
- Self-hosted Flagsmith deployments using ALLOW_REGISTRATION_WITHOUT_INVITE=false
- Flagsmith instances exposing the registration API endpoint to untrusted networks
Discovery Timeline
- 2024-11-17 - CVE-2024-52871 published to the National Vulnerability Database
- 2025-07-07 - Last updated in NVD database
Technical Details for CVE-2024-52871
Vulnerability Analysis
Flagsmith exposes a configuration option named ALLOW_REGISTRATION_WITHOUT_INVITE. Administrators set this flag to false to require an invitation before a user can create an account. The vulnerability allows attackers to bypass this control entirely. An unauthenticated request to the registration endpoint succeeds even when the setting prohibits open registration.
The weakness is classified as a broken access control issue. The CWE classification is NVD-CWE-noinfo because the upstream advisory did not provide a specific CWE mapping. The fix was merged in pull request #4454 and released in Flagsmith 2.134.1.
The EPSS score is 0.066%, reflecting low observed exploitation activity. The flaw still poses a meaningful risk to organizations that rely on registration restrictions to enforce tenant boundaries or limit attack surface on internet-facing deployments.
Root Cause
The root cause is incomplete enforcement of the ALLOW_REGISTRATION_WITHOUT_INVITE configuration value in the registration request path. The server-side check that should reject unsolicited sign-ups does not cover all registration code paths. The patch in pull request #4454 closes the gap so that the registration handler honors the setting consistently.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the Flagsmith registration endpoint on an exposed instance. The server processes the request and provisions an account despite the invitation-only configuration. The attacker then logs in with the newly created credentials and accesses functionality intended for invited users.
No public proof-of-concept exploit is currently published. Refer to the Flagsmith pull request #4454 and the v2.134.0 to v2.134.1 diff for the exact code paths affected.
Detection Methods for CVE-2024-52871
Indicators of Compromise
- Unexpected new user accounts created on Flagsmith instances configured with ALLOW_REGISTRATION_WITHOUT_INVITE=false
- HTTP POST requests to /api/v1/auth/users/ or related registration endpoints from untrusted source IPs
- Account creation events with no corresponding invitation record in the Flagsmith database
Detection Strategies
- Audit the Flagsmith user table for accounts created after deployment that lack a matching invitation entry
- Review reverse-proxy and application logs for 2xx responses on registration endpoints when registration should be disabled
- Compare the running Flagsmith version against 2.134.1 and flag any instance running an earlier release
Monitoring Recommendations
- Forward Flagsmith application logs to a centralized logging or SIEM platform and alert on new user registrations
- Monitor authentication events for first-time logins from newly registered accounts on internet-facing instances
- Track configuration drift on the ALLOW_REGISTRATION_WITHOUT_INVITE environment variable across deployments
How to Mitigate CVE-2024-52871
Immediate Actions Required
- Upgrade Flagsmith to version 2.134.1 or later on all self-hosted deployments
- Audit existing accounts and disable or delete any user that was not provisioned through an invitation
- Restrict network access to the Flagsmith registration endpoint using firewall rules or reverse-proxy ACLs until patching is complete
Patch Information
The fix is delivered in Flagsmith 2.134.1. Review the GitHub version comparison and the pull request #4454 discussion for the full set of code changes. Apply the upgrade following the standard Flagsmith deployment process for your environment, whether Docker, Helm, or source-based installation.
Workarounds
- Place the Flagsmith application behind a reverse proxy that blocks unauthenticated POST requests to the registration endpoint
- Restrict the Flagsmith instance to internal networks or VPN-only access until the upgrade is applied
- Continuously review the user table and remove unauthorized accounts on a scheduled basis
# Upgrade Flagsmith using Docker
docker pull flagsmith/flagsmith:2.134.1
docker stop flagsmith
docker rm flagsmith
docker run -d --name flagsmith \
-e ALLOW_REGISTRATION_WITHOUT_INVITE=false \
-p 8000:8000 \
flagsmith/flagsmith:2.134.1
# Verify the running version
docker exec flagsmith python -c "import flagsmith; print(flagsmith.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
