Skip to main content

AshAuthentication CVE-2026-49757

| EUVD-2026-36714 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-06-15 EEF
Authentication Bypass Ash Authentication
9.2
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but requires a vulnerable OAuth strategy plus a provider that lets the attacker assert the victim's email, so AC:H; full account takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 12:20 vuln.today
Analysis Generated
Jun 15, 2026 - 12:20 vuln.today

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.

AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.

A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges.

The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?).

This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

AnalysisAI

Account takeover in team-alembic AshAuthentication (0.1.0 to <4.14.0 and 5.0.0-rc.0 to <5.0.0-rc.10) lets an unauthenticated attacker hijack any local user account by completing an OAuth2 or OIDC sign-in with the victim's email address. The library matched federated logins to local users by email rather than by the OpenID Connect iss/sub pair, so any accepted provider that allows an attacker to register or reuse the victim's email - including providers that return email_verified: false - resolves to the victim's existing account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify victim email on target app
Delivery
Register provider account with victim's email
Exploit
Initiate OAuth2/OIDC sign-in to target
Execution
Provider returns token with victim email
Persist
AshAuthentication upserts by email, binds session to victim account
Impact
Operate as victim with full local privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must (a) use ash_authentication at a vulnerable version (0.1.0-4.13.x or 5.0.0-rc.0-rc.9) and (b) have at least one OAuth2 or OIDC family strategy enabled (Auth0, Apple, generic OAuth2, or OIDC) that the attacker can complete a sign-in against. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 of 9.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H) is justified: exploitation is network-reachable, unauthenticated, and yields full takeover of the victim's local account with whatever privileges that account holds. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a target application using ash_authentication with, for example, an Auth0 or generic OIDC sign-in button, looks up a victim's email address (often public), and registers a fresh account on an accepted OAuth provider using that email - or uses a provider that does not verify email ownership at all. The attacker clicks 'Sign in with <provider>', and because AshAuthentication matches by email rather than (iss, sub), the session is bound to the victim's pre-existing local account with full privileges. …
Remediation Vendor-released patch: upgrade ash_authentication to 4.14.0 on the 4.x line or 5.0.0-rc.10 on the 5.x pre-release line (commits 728b8d28c1b5f465fa1116ef044a815300fc733d and 64530644f9b37ebb76ca14aeb83a77597a0034b7). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications and systems using AshAuthentication library versions 0.1.0 to 4.13.x or 5.0.0-rc.0 to 5.0.0-rc.9; prioritize production systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49757 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy