CVE-2026-49757 team-alembic CVE debrief

Who should care

Developers using AshAuthentication in their Elixir applications should be aware of this vulnerability and take immediate action to patch it. Specifically, those using versions 0.1.0 to 4.14.0 or 5.0.0-rc.0 to 5.0.0-rc.10 are affected.

Technical summary

The vulnerability arises from AshAuthentication's use of email addresses to match local users with OAuth2/OIDC providers. According to OpenID Connect Core §5.7, only the iss/sub claim combination uniquely identifies an end-user. Using email addresses, which can be unverified, reused, or reclaimed, can lead to account takeovers. The fix involves resolving users by the (strategy, sub) identity stored in a user identity resource and only linking a new sub to an existing local account by email when the provider's email_verified claim is trusted.

Defensive priority

critical

Recommended defensive actions

• Upgrade AshAuthentication to version 4.14.0 or later, or 5.0.0-rc.10 or later.
• Review and adjust the configuration of OAuth2/OIDC providers to ensure that only trusted providers are used.
• Implement additional security measures, such as monitoring for suspicious login activity.

Evidence notes

The CVE-2026-49757 record and associated references provide detailed information about the vulnerability, its impact, and the fixes. Key sources include the CVE.org record, NVD details, and references from Erlef and GitHub.

Official resources