7.6
CVE-2026-44166
- EPSS 0.25%
- Veröffentlicht 12.05.2026 17:16:59
- Zuletzt bearbeitet 19.05.2026 16:20:40
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pocketbase ≫ Pocketbase SwPlatformgo Version < 0.22.42
Pocketbase ≫ Pocketbase SwPlatformgo Version >= 0.23.0 < 0.37.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.157 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.6 | 2.8 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
|
| security-advisories@github.com | 6.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w