CVE-2026-44166

Source
https://cve.org/CVERecord?id=CVE-2026-44166
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44166.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44166
Aliases
Published
2026-05-12T17:16:59.613Z
Modified
2026-07-08T08:12:35.314843483Z
Severity
  • 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
Details

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44166.json"
}
References

Affected packages

Git / github.com/pocketbase/pocketbase

Affected ranges

Type
GIT
Repo
https://github.com/pocketbase/pocketbase
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.22.42"
        },
        {
            "introduced": "0.23.0"
        },
        {
            "fixed": "0.37.4"
        }
    ],
    "cpe": "cpe:2.3:a:pocketbase:pocketbase:*:*:*:*:*:go:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.16.0
v0.16.1
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.19.0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.20.0
v0.20.0-rc
v0.20.0-rc2
v0.20.0-rc3
v0.20.1
v0.21.0
v0.21.1
v0.22.1
v0.22.12
v0.22.13
v0.22.14
v0.22.14-rc
v0.22.15
v0.22.16
v0.22.17
v0.22.18
v0.22.19
v0.22.2
v0.22.20
v0.22.21
v0.22.22
v0.22.23
v0.22.24
v0.22.25
v0.22.26
v0.22.27
v0.22.28
v0.22.29
v0.22.3
v0.22.30
v0.22.31
v0.22.32
v0.22.33
v0.22.34
v0.22.35
v0.22.36
v0.22.37
v0.22.38
v0.22.39
v0.22.4
v0.22.40
v0.22.41
v0.22.5
v0.22.6
v0.22.7
v0.22.8
v0.22.9
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.25.0
v0.26.0
v0.26.0-rc.1
v0.26.1
v0.27.0
v0.28.0
v0.28.1
v0.28.2
v0.28.3
v0.28.4
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.30.0
v0.30.1
v0.30.2
v0.30.3
v0.30.4
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.34.1
v0.34.2
v0.35.0
v0.35.1
v0.36.0
v0.36.0-rc.1
v0.36.1
v0.36.2
v0.36.3
v0.36.4
v0.36.5
v0.36.6
v0.36.7
v0.36.7-rc.1
v0.36.8
v0.36.9
v0.37.0
v0.37.1
v0.37.2
v0.37.3
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.0-rc3
v0.8.0-rc4
v0.9.0
v0.9.1
v0.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44166.json"