Deleting User via control panel does not delete user's data

When I delete a user in auth0, and have the user reauth, their user comes back with their previous history and Roles.

Steps to reproduce

  1. Create a user not assigned to a customer. Set that user to have a non-default role
  2. Reauth
  3. Delete the user
  4. Have user re-log in
  5. User is recreated with pre-existing Roles and history
1 Like

I found this same vulnerability. It might be exploited by a bad actor to get access to restricted data.

1 Like