CVE-2024-38351

Name of the Vulnerable Software and Affected Versions PocketBase versions prior to 0.22.14

Description A malicious user may be able to compromise other user accounts if both OAuth2 and Password auth methods are enabled. The attack scenario involves a malicious actor registering with a targeted user's email, which is unverified, and then the targeted user signing up with OAuth2. The malicious actor can then access the targeted user's account using the initially created email and password. To prevent this, the password is now reset for unverified users when linking OAuth2 accounts. Email alerts are also sent to users who have logged in with a password and have at least one OAuth2 account linked.

Recommendations Update to version 0.22.14 to fix the issue. As a temporary workaround, consider disabling the OAuth2 auth method or restricting its use until the update is applied. Additionally, users are advised to change their account password immediately if they receive an email alert about unrecognized login activity and do not recognize the action.