PT-2026-37311 · Unknown · Pocketbase

Published

2026-05-05

Updated

2026-05-19

CVE-2026-44166

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Name of the Vulnerable Software and Affected Versions Pocketbase versions prior to 0.22.42 Pocketbase versions prior to 0.37.4

Description An issue exists in the OAuth2 autolinking process where an attacker knowing a victim's email address can pre-create and link an unverified user by authenticating with one OAuth2 provider. If the victim later signs up or is invited using a different OAuth2 provider, the previously created account is autolinked and upgraded to verified status. Because previous OAuth2 links are not cleared during this upgrade, the attacker retains access to the account.

Recommendations Update to version 0.22.42 for installations using releases prior to 0.23.0. Update to version 0.37.4.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2026-44166

GHSA-PQ7P-MC74-G65W

Affected Products

Pocketbase

PT-2026-37311 · Unknown · Pocketbase

CVE-2026-44166

Weakness Enumeration

Related Identifiers

Affected Products

References · 7