PocketBase CVE-2026-44166
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians.
In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" _(PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user)_, the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset.
The upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.
Or in other words, the vulnerability is similar to the mixed password + OAuth2 auth pre-hijacking issue that we had in the past but with a slightly different angle.
So with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on "unverified" to "verified" upgrades.
While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 _(or to v0.22.42 if you are using an older <v0.23.0 release)_.
AnalysisAI
PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.
Technical ContextAI
PocketBase is a Go-based backend framework that implements OAuth2 authentication with account autolinking. The vulnerability stems from incomplete cleanup in the OAuth2 account upgrade flow. When a user transitions from unverified to verified status during OAuth2 provider linkage, the system does not delete pre-existing OAuth2 links created by an attacker on the same email address. The root cause is an authorization and authentication logic flaw (CWE-287) in the account linking and verification mechanism, where the system fails to invalidate previous authentication vectors when upgrading account status. This is compounded by PocketBase's design allowing multiple OAuth2 providers to link to a single user but preventing multiple accounts from the same provider-creating the window for pre-hijacking.
RemediationAI
Upgrade immediately to PocketBase v0.37.4 (for current releases) or v0.22.42 (for legacy releases prior to v0.23.0). The fix automatically deletes all pre-existing OAuth2 links during unverified-to-verified account upgrades, preventing attacker persistence. See vendor advisory at https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w for detailed patch notes. No workaround is available short of disabling OAuth2 authentication entirely; organizations unable to patch immediately should restrict OAuth2 provider enrollment to trusted, pre-registered user lists or require manual verification steps before account linking is finalized, though these introduce operational friction.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pq7p-mc74-g65w