CVE-2026-44166— PocketBase 授权问题漏洞

Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.

N/A

认证机制不恰当

PocketBase 授权问题漏洞

PocketBase是PocketBase开源的一个开源实时后端。 Pocketbase 0.22.42之前版本和0.37.4之前版本存在授权问题漏洞，该漏洞源于在某些情况下，攻击者若知道受害者电子邮件地址，可预先创建并链接未验证的PocketBase用户，导致受害者注册时自动链接并升级为已验证用户。

N/A

N/A