Description
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.

AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.

A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges.

The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?).

This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Published: 2026-06-15
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AshAuthentication incorrectly identifies local users by email address instead of the required issuer and subject combination, allowing an attacker who can create a new OAuth2/OIDC account with the victim's email to be signed in as that victim. This authentication bypass results in the attacker gaining full local privileges, effectively capturing the victim’s account and all data stored under it. The weakness aligns with CWE-290, which describes authentication mechanisms that rely on non‑unique or untrusted attributes.

Affected Systems

The vulnerability affects AshAuthentication versions from the initial release 0.1.0 up to but not including 4.14.0, and from 5.0.0-rc.0 up to but not including 5.0.0-rc.10. The affected implementation is maintained by team‑alembic.

Risk and Exploitability

The CVSS score of 9.2 marks this flaw as critical. The EPSS score is not available, so the current probability of exploitation is unknown, but the flaw remains highlighted in security advisories without being listed in the CISA KEV catalog. Attackers can exploit the issue simply by registering an OAuth account with the victim’s email, a process that does not require privileged access to the target system. The attack vector is via legitimate OAuth2/OIDC sign‑in flows, making it potentially easy to execute by untrusted external actors.

Generated by OpenCVE AI on June 15, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AshAuthentication to version 4.14.0 or later, or 5.0.0-rc.10 or later.
  • Configure OAuth2/OIDC strategies to require the email_verified claim before linking identities to existing accounts (trust_email_verified? setting).
  • Audit user accounts for unexpected duplicates or sign‑ins that may indicate takeover attempts.

Generated by OpenCVE AI on June 15, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Title OAuth2/OIDC account takeover in AshAuthentication via email-based user matching
First Time appeared Team-alembic
Team-alembic ash Authentication
Weaknesses CWE-290
CPEs cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*
Vendors & Products Team-alembic
Team-alembic ash Authentication
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Team-alembic Ash Authentication
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-15T14:14:37.882Z

Reserved: 2026-06-01T13:45:22.449Z

Link: CVE-2026-49757

cve-icon Vulnrichment

Updated: 2026-06-15T12:35:34.621Z

cve-icon NVD

Status : Received

Published: 2026-06-15T12:16:25.777

Modified: 2026-06-15T12:16:25.777

Link: CVE-2026-49757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T15:15:17Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing