Primary

Context

Pocketbase OAuth2 Pre-Hijacking Vulnerability Allowing Unverified to Verified User Autolinking

Vulnerability

A pre-hijacking vulnerability has been identified in Pocketbase versions prior to 0.22.42 and 0.37.4. This issue allows an attacker who knows the victim's email address to create and link an unverified Pocketbase user by authenticating with an OAuth2 provider. When the victim later signs up with a different provider, the attacker-linked account is automatically upgraded to verified status, and the password is reset, potentially allowing the attacker to gain access. This vulnerability arises because the previous OAuth2 links are not cleared, leaving the attacker with access to the account.

Impact

Exploitation of this vulnerability allows for unauthorized account access by linking an attacker-created user to a victim's email, bypassing verification processes and resetting passwords.

Remediation

Users are advised to upgrade to Pocketbase version 0.37.4 or 0.22.42 if using an older release prior to 0.23.0.

Added: May 12, 2026, 6:58 PM

Updated: May 12, 2026, 6:58 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

0.0

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

0.0

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pocketbase OAuth2 Pre-Hijacking Vulnerability Allowing Unverified to Verified User Autolinking

Vulnerability

Impact

Remediation

Affected Products

Pocketbase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating