CVE-2026-44166

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When th...

CVE-2026-44166 Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When th...

Improper Authentication

Overview github.com/pocketbase/pocketbase/forms is a realtime backend in 1 file Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with...

Improper Authentication

Overview github.com/pocketbase/pocketbase/apis is a realtime backend in 1 file Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with t...

Improper Authentication

Overview github.com/pocketbase/pocketbase/daos is a realtime backend in 1 file Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with t...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with the victim's email address using one OAuth2 provider, and then waiting...

PT-2026-37311

Name of the Vulnerable Software and Affected Versions Pocketbase versions prior to 0.22.42 Pocketbase versions prior to 0.37.4 Description An issue exists in the OAuth2 autolinking process where an attacker knowing a victim's email address can pre-create and link an unverified user by...

n8n 授权问题漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 2.4.0 and 1.121.0 contained vulnerabilities related to authorization. These vulnerabilities stemmed from the LDAP identity autlinking mechanism and could lead to account takeover attacks...