Skip to main content

PocketBase CVE-2026-44166

MEDIUM
Improper Authentication (CWE-287)
2026-05-05 https://github.com/pocketbase/pocketbase GHSA-pq7p-mc74-g65w
6.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 18:22 NVD
6.1 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 21:48 vuln.today
Analysis Generated
May 05, 2026 - 21:48 vuln.today

DescriptionGitHub Advisory

A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians.

In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" _(PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user)_, the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset.

The upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.

Or in other words, the vulnerability is similar to the mixed password + OAuth2 auth pre-hijacking issue that we had in the past but with a slightly different angle.

So with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on "unverified" to "verified" upgrades.

While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 _(or to v0.22.42 if you are using an older <v0.23.0 release)_.

AnalysisAI

PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.

Technical ContextAI

PocketBase is a Go-based backend framework that implements OAuth2 authentication with account autolinking. The vulnerability stems from incomplete cleanup in the OAuth2 account upgrade flow. When a user transitions from unverified to verified status during OAuth2 provider linkage, the system does not delete pre-existing OAuth2 links created by an attacker on the same email address. The root cause is an authorization and authentication logic flaw (CWE-287) in the account linking and verification mechanism, where the system fails to invalidate previous authentication vectors when upgrading account status. This is compounded by PocketBase's design allowing multiple OAuth2 providers to link to a single user but preventing multiple accounts from the same provider-creating the window for pre-hijacking.

RemediationAI

Upgrade immediately to PocketBase v0.37.4 (for current releases) or v0.22.42 (for legacy releases prior to v0.23.0). The fix automatically deletes all pre-existing OAuth2 links during unverified-to-verified account upgrades, preventing attacker persistence. See vendor advisory at https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w for detailed patch notes. No workaround is available short of disabling OAuth2 authentication entirely; organizations unable to patch immediately should restrict OAuth2 provider enrollment to trusted, pre-registered user lists or require manual verification steps before account linking is finalized, though these introduce operational friction.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-44166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy