AIKIDO-2026-10566
github.com/pocketbase/pocketbase is vulnerable to OAuth2 account pre-hijacking via autolinking
60
Medium Risk
This Affects:
github.com/pocketbase/pocketbaseTL;DR
Affected versions of this package are vulnerable to OAuth2 account pre-hijacking. An attacker who knows the victim's email can pre-create an unverified PocketBase auth record by signing in with one OAuth2 provider (e.g. provider A). When the victim later signs up using a different OAuth2 provider (e.g. provider B), PocketBase autolinks the existing unverified record and upgrades it to verified, but it does not clear the attacker's previously-linked external OAuth2 entry. The attacker therefore retains OAuth2 login access to the now-verified account. The fix deletes pre-existing external OAuth2 links on the unverified-to-verified upgrade and clears conflicting links during OAuth2 login for unverified records.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and have OAuth2 authentication enabled with at least two providers configured. Exploitation requires the attacker to know the victim's email and the victim to subsequently sign up via a different OAuth2 provider than the one the attacker pre-linked.
Background info
github.com/pocketbase/pocketbase is vulnerable to OAuth2 account pre-hijacking via autolinking in versions 0.0.1 - 0.22.41 and 0.23.0 - 0.37.3.
How to fix this
Upgrade the github.com/pocketbase/pocketbase library to the patch version (v0.22.42 for the v0.22.x branch or v0.37.4 for the v0.37.x branch).
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant