Description
Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.
Published: 2026-05-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker who knows a victim’s email address to pre‑create an unverified account using one OAuth2 provider, then, when the victim signs up with a different provider, the system automatically links that pre‑created account, promotes it to verified, and resets the old password. As a result, the attacker gains full control of the victim’s account, effectively bypassing authentication—an instance of CWE‑287, improper authentication.

Affected Systems

Pocketbase versions earlier than 0.22.42 and 0.37.4 are affected. The product is the open‑source Pocketbase backend, and the flaw is present when the application allows OAuth2 authentication from multiple providers for a single user, which is often the default configuration.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the vulnerability is not listed in CISA KEV, implying limited public exploitation so far. The attack requires the attacker to know a victim’s email address, authenticate with one OAuth2 provider to pre‑create an unverified account, and wait until the victim logs in with a second provider; once these conditions are met, the attacker’s account is linked and granted full control.

Generated by OpenCVE AI on May 12, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Pocketbase to version 0.22.42 or 0.37.4 or later, which resolves the improper authentication flaw (CWE‑287).
  • Until the patch is applied, disable automatic linking of accounts across different OAuth2 providers to prevent unauthorized account takeover.
  • Review existing accounts for suspicious cross‑provider linking and monitor authentication logs for abnormal linking events.

Generated by OpenCVE AI on May 12, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pq7p-mc74-g65w PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
History

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pocketbase:pocketbase:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Pocketbase
Pocketbase pocketbase
Vendors & Products Pocketbase
Pocketbase pocketbase

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.
Title Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Pocketbase Pocketbase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:50:17.712Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44166

cve-icon Vulnrichment

Updated: 2026-05-12T18:47:15.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:29.123

Modified: 2026-05-19T16:20:40.930

Link: CVE-2026-44166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:58Z

Weaknesses