CVE-2026-44166

import requests # This is a conceptual PoC to demonstrate the attack flow. # Actual exploitation requires valid OAuth app credentials and victim interaction. TARGET_URL = "https://example.com/api/collections/users/records" VICTIM_EMAIL = "[email protected]" print(f"[+] Target: {TARGET_URL}") print(f"[+] Victim Email: {VICTIM_EMAIL}") # Step 1: Attacker initiates OAuth flow with Provider A (e.g., Google) # and creates an unverified account for the victim's email. print("[1] Attacker creates unverified account via OAuth Provider A...") # attacker_oauth_token = get_oauth_token_provider_a() # data = {"email": VICTIM_EMAIL, "provider": "google", "token": attacker_oauth_token} # r = requests.post(TARGET_URL + "/auth-with-oauth2", json=data) print("[!] Unverified user created (simulated).") # Step 2: Victim decides to sign up using OAuth Provider B (e.g., GitHub) print("[2] Victim initiates sign up via OAuth Provider B...") # victim_oauth_token = get_oauth_token_provider_b() # data = {"email": VICTIM_EMAIL, "provider": "github", "token": victim_oauth_token} # Step 3: System automatically links Provider B to the existing user created by Attacker # and marks the account as verified. print("[3] System auto-links Provider B to the existing user...") print("[!] Account is now verified and linked to attacker's initial record.") # Step 4: Attacker can now reset the password or access the account print("[4] Attacker resets password via API...") print("[!] Account takeover successful.")

{"cve": {"id": "CVE-2026-44166", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:29.123", "lastModified": "2026-05-19T16:20:40.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. \"A\". When the victim gets invited or decides to sign up to your app on their own with provider \"B\" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to \"verified\" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pocketbase:pocketbase:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.22.42", "matchCriteriaId": "82C3D53E-1FEE-4477-985C-9392048F2F33"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pocketbase:pocketbase:*:*:*:*:*:go:*:*", "versionStartIncluding": "0.23.0", "versionEndExcluding": "0.37.4", "matchCriteriaId": "4D5B2E3F-7B3E-4F34-ACFF-42FCC50A2363"}]}]}], "references": [{"url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}