Deleting User via control panel does not delete user's data

asyriala · July 19, 2022, 5:40pm

When I delete a user in auth0, and have the user reauth, their user comes back with their previous history and Roles.

Steps to reproduce

Create a user not assigned to a customer. Set that user to have a non-default role
Reauth
Delete the user
Have user re-log in
User is recreated with pre-existing Roles and history

arturo.alvarez · August 7, 2022, 7:52am

I found this same vulnerability. It might be exploited by a bad actor to get access to restricted data.

thready · October 21, 2023, 3:14pm

Not only is this a security issue, it makes testing more difficult.

Topic		Replies	Views
Management API delete user inconsistent role deletion Help management-api , users	5	1300	April 14, 2024
Auth0 Admin User is Not Deleted Knowledge Articles	1	386	December 5, 2023
Deleted Users Through Auth0 Dashboard Not Removed And Inaccessible Help	7	4071	November 19, 2020
recreating deleted users Help auth0-users , users , delete-user , manage-users , user	5	6076	March 2, 2018
Best practice for user deletion when user data is stored in multiple locations Help	1	3135	March 21, 2020