CVE-2026-44166
Published:May 12, 2026
Updated:May 16, 2026
Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.
Affected Packages
github.com/pocketbase/pocketbase (GO):
Affected version(s) >=v0.0.0-20220708101348-de3ad44d6643 <v0.22.42Fix Suggestion:
Update to version v0.22.42github.com/pocketbase/pocketbase (GO):
Affected version(s) >=v0.30.0 <v0.37.4Fix Suggestion:
Update to version v0.37.4github.com/pocketbase/pocketbase (GO):
Affected version(s) >=v0.0.0-20220708101348-de3ad44d6643 <v0.22.42Fix Suggestion:
Update to version v0.22.42Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Improper Authentication
EPSS
Base Score:
0.04