1. Home
  2. CVE Database
  3. CVE-2026-44166
HIGH · 7.6

CVE-2026-44166

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified Poc...

Vulnerability Description

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset. This vulnerability is fixed in 0.22.42 and 0.37.4.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW

Affected Products

VendorProductVersions
PocketbasePocketbase< 0.22.42

Related Weaknesses (CWE)

CWE-287

References

FAQ

What is CVE-2026-44166?

CVE-2026-44166 is a vulnerability with a CVSS score of 7.6 (HIGH). Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified Poc...

How severe is CVE-2026-44166?

CVE-2026-44166 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-44166?

Check the references section above for vendor advisories and patch information. Affected products include: Pocketbase Pocketbase.