PatchSiren

pocketbase CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM pocketbase CVE published 2026-05-12

CVE-2026-44166

PocketBase versions prior to 0.22.42 and 0.37.4 contain an authentication bypass vulnerability in their OAuth2 user linking mechanism. An attacker who knows a victim's email address can pre-create an unverified PocketBase user account by authenticating with one OAuth2 provider (e.g., Provider A). When the legitimate victim later signs up or is invited using a different OAuth2 provider (Provider B), Pocket [truncated]