CVE-2026-44166

7.6 HIGH

Pocketbase is an open source web backend written in go

Published: 2026-05-12 · Last updated: 2026-05-19

Severity and scoring

CVSS: 7.6 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
CWE: CWE-287

Affected products

Vendor	Product
pocketbase	pocketbase

Description

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44166
[Vendor advisory]https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w

Related CVEs

Same CWE

CVE-2026-48780 — Forem is open source software for building communities (8.2 HIGH)
CVE-2026-48114 — Metacat is data repository software that helps researchers preserve, share, and discover data (9.8 CRITICAL)
CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)
CVE-2026-50623 — An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF (4.8 MEDIUM)
CVE-2026-48611 — Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading t... (9.8 CRITICAL)