PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44166 pocketbase CVE debrief

PocketBase versions prior to 0.22.42 and 0.37.4 contain an authentication bypass vulnerability in their OAuth2 user linking mechanism. An attacker who knows a victim's email address can pre-create an unverified PocketBase user account by authenticating with one OAuth2 provider (e.g., Provider A). When the legitimate victim later signs up or is invited using a different OAuth2 provider (Provider B), PocketBase's autolinking logic incorrectly associates the victim's authentication with the attacker-created account. This results in the attacker-controlled account being upgraded to verified status, with the victim's credentials now linked to an account the attacker initially created. The vulnerability stems from improper verification of OAuth2 account ownership during the autolinking process, violating the security principle that account linking should require explicit user confirmation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, present user interaction, low confidentiality impact, high integrity impact, and low availability impact.

Vendor
pocketbase
Product
Unknown
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations running PocketBase as a backend for user authentication, particularly those relying on OAuth2 authentication with multiple providers. Security teams monitoring for account takeover vulnerabilities in Go-based web backends. Developers implementing OAuth2 flows who need to understand autolinking risks.

Technical summary

The vulnerability exists in PocketBase's OAuth2 authentication flow where autolinking of accounts occurs without sufficient verification of account ownership. When a user authenticates via OAuth2, PocketBase attempts to link the OAuth2 identity to an existing account if the email address matches. An attacker can exploit this by: (1) obtaining the victim's email address, (2) creating a PocketBase account via OAuth2 provider A (resulting in an unverified account), (3) waiting for the victim to authenticate via OAuth2 provider B. When the victim authenticates, PocketBase's autolinking logic matches the email and links the victim's provider B identity to the attacker-created account, upgrading it to verified status and resetting credentials. The fix in versions 0.22.42 and 0.37.4 likely adds verification requirements or changes the autolinking logic to prevent pre-created unverified accounts from being automatically linked.

Defensive priority

medium

Recommended defensive actions

  • Upgrade PocketBase to version 0.22.42 (for 0.22.x series) or 0.37.4 (for 0.37.x series) or later to remediate this vulnerability
  • Review existing user accounts for suspicious OAuth2 linking patterns, particularly accounts created via OAuth2 that were later linked to different providers
  • Implement additional verification steps for OAuth2 account linking if running unpatched versions
  • Monitor authentication logs for accounts created with one OAuth2 provider and subsequently linked to a different provider
  • Consider implementing email verification requirements before allowing OAuth2 account autolinking in custom deployments

Evidence notes

CVE description confirms attacker can pre-create unverified accounts when knowing victim email. Vendor advisory confirms fix versions 0.22.42 and 0.37.4. CPE criteria confirms affected version ranges: all versions before 0.22.42, and versions 0.23.0 through 0.37.4. CVSS 4.0 vector from NVD confirms medium severity with high integrity impact. CWE-287 (Improper Authentication) classified as primary weakness.

Official resources

2026-05-12