CVE-2026-44166
PocketBase suffers an account pre-hijacking vulnerability via OAuth2 unverfied→verified autolinking. An attacker who knows a victim’s email can pre-create and link an unverified PocketBase user by authenticating with an OAuth2 provider (e.g., A). When the victim later signs up with a different pr...