Skip to main content

PocketBase CVE-2026-44166

MEDIUM
Improper Authentication (CWE-287)
2026-05-05 https://github.com/pocketbase/pocketbase GHSA-pq7p-mc74-g65w
Authentication Bypass Suse
6.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 18:22 NVD
6.1 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 21:48 vuln.today
Analysis Generated
May 05, 2026 - 21:48 vuln.today

DescriptionNVD

A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians.

In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" _(PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user)_, the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset.

The upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.

Or in other words, the vulnerability is similar to the mixed password + OAuth2 auth pre-hijacking issue that we had in the past but with a slightly different angle.

So with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on "unverified" to "verified" upgrades.

While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 _(or to v0.22.42 if you are using an older <v0.23.0 release)_.

AnalysisAI

PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-44166 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy