CVE-2026-49757 (GCVE-0-2026-49757)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:07 – Updated: 2026-06-15 14:14
VLAI
Title
OAuth2/OIDC account takeover in AshAuthentication via email-based user matching
Summary
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.
AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.
A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges.
The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?).
This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/team-alembic/ash_authenticatio… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49757.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49757 | related |
| https://github.com/team-alembic/ash_authenticatio… | patch |
| https://github.com/team-alembic/ash_authenticatio… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| team-alembic | ash_authentication |
Affected:
0.1.0 , < 4.14.0
(semver)
Affected: 5.0.0-rc.0 , < 5.0.0-rc.10 (semver) cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:* |
|
| team-alembic | ash_authentication |
Affected:
c5f589058e04239263f50a1430eb17ea6d5dd1a2 , < *
(git)
cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49757",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:35:13.009558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:35:41.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
],
"packageName": "ash_authentication",
"packageURL": "pkg:hex/ash_authentication",
"product": "ash_authentication",
"programFiles": [
"lib/ash_authentication/strategies/oauth2/identity_change.ex",
"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
},
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
}
],
"repo": "https://github.com/team-alembic/ash_authentication",
"vendor": "team-alembic",
"versions": [
{
"lessThan": "4.14.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
},
{
"lessThan": "5.0.0-rc.10",
"status": "affected",
"version": "5.0.0-rc.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
],
"packageName": "team-alembic/ash_authentication",
"packageURL": "pkg:github/team-alembic/ash_authentication",
"product": "ash_authentication",
"programFiles": [
"lib/ash_authentication/strategies/oauth2/identity_change.ex",
"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
},
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
}
],
"repo": "https://github.com/team-alembic/ash_authentication.git",
"vendor": "team-alembic",
"versions": [
{
"changes": [
{
"at": "728b8d28c1b5f465fa1116ef044a815300fc733d",
"status": "unaffected"
},
{
"at": "64530644f9b37ebb76ca14aeb83a77597a0034b7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "c5f589058e04239263f50a1430eb17ea6d5dd1a2",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.0-rc.10",
"versionStartIncluding": "5.0.0-rc.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jarl Andr\u00e9 H\u00fcbenthal"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Harton"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\u003cp\u003eAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e claim combination. Per OpenID Connect Core \u00a75.7, only \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e uniquely and stably identifies an end-user; other claims, including \u003ctt\u003eemail\u003c/tt\u003e, MUST NOT be used as unique identifiers.\u003c/p\u003e\u003cp\u003eA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with \u003ctt\u003eemail_verified: false\u003c/tt\u003e, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\u003c/p\u003e\u003cp\u003eThe fix resolves users by the \u003ctt\u003e(strategy, sub)\u003c/tt\u003e identity stored in a user identity resource, and only links a new \u003ctt\u003esub\u003c/tt\u003e to an existing local account by email when the provider\u0027s \u003ctt\u003eemail_verified\u003c/tt\u003e claim is trusted (\u003ctt\u003etrust_email_verified?\u003c/tt\u003e).\u003c/p\u003e\u003cp\u003eThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\n\nAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core \u00a75.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\n\nA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\n\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider\u0027s email_verified claim is trusted (trust_email_verified?).\n\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T14:14:37.882Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49757.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49757"
},
{
"tags": [
"patch"
],
"url": "https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth2/OIDC account takeover in AshAuthentication via email-based user matching",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49757",
"datePublished": "2026-06-15T10:07:17.781Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-15T14:14:37.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-49757\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-06-15T12:16:25.777\",\"lastModified\":\"2026-06-15T12:16:25.777\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\\n\\nAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core \u00a75.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\\n\\nA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\\n\\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider\u0027s email_verified claim is trusted (trust_email_verified?).\\n\\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-49757.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-49757\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-49757\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-15T12:35:13.009558Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-15T12:35:34.621Z\"}}], \"cna\": {\"title\": \"OAuth2/OIDC account takeover in AshAuthentication via email-based user matching\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jarl Andr\\u00e9 H\\u00fcbenthal\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"James Harton\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Jonatan M\\u00e4nnchen / EEF\"}], \"impacts\": [{\"capecId\": \"CAPEC-21\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-21 Exploitation of Trusted Identifiers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/team-alembic/ash_authentication\", \"vendor\": \"team-alembic\", \"modules\": [\"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027\", \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027\"], \"product\": \"ash_authentication\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.1.0\", \"lessThan\": \"4.14.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.0.0-rc.0\", \"lessThan\": \"5.0.0-rc.10\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/ash_authentication\", \"packageName\": \"ash_authentication\", \"programFiles\": [\"lib/ash_authentication/strategies/oauth2/identity_change.ex\", \"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3\"}, {\"name\": \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3\"}]}, {\"cpes\": [\"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/team-alembic/ash_authentication.git\", \"vendor\": \"team-alembic\", \"modules\": [\"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027\", \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027\"], \"product\": \"ash_authentication\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"728b8d28c1b5f465fa1116ef044a815300fc733d\", \"status\": \"unaffected\"}, {\"at\": \"64530644f9b37ebb76ca14aeb83a77597a0034b7\", \"status\": \"unaffected\"}], \"version\": \"c5f589058e04239263f50a1430eb17ea6d5dd1a2\", \"lessThan\": \"*\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/team-alembic/ash_authentication\", \"packageName\": \"team-alembic/ash_authentication\", \"programFiles\": [\"lib/ash_authentication/strategies/oauth2/identity_change.ex\", \"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3\"}, {\"name\": \"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3\"}]}], \"references\": [{\"url\": \"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-49757.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-49757\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\\n\\nAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core \\u00a75.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\\n\\nA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\\n\\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider\u0027s email_verified claim is trusted (trust_email_verified?).\\n\\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\u003cp\u003eAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e claim combination. Per OpenID Connect Core \\u00a75.7, only \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e uniquely and stably identifies an end-user; other claims, including \u003ctt\u003eemail\u003c/tt\u003e, MUST NOT be used as unique identifiers.\u003c/p\u003e\u003cp\u003eA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with \u003ctt\u003eemail_verified: false\u003c/tt\u003e, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\u003c/p\u003e\u003cp\u003eThe fix resolves users by the \u003ctt\u003e(strategy, sub)\u003c/tt\u003e identity stored in a user identity resource, and only links a new \u003ctt\u003esub\u003c/tt\u003e to an existing local account by email when the provider\u0027s \u003ctt\u003eemail_verified\u003c/tt\u003e claim is trusted (\u003ctt\u003etrust_email_verified?\u003c/tt\u003e).\u003c/p\u003e\u003cp\u003eThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.0\", \"versionStartIncluding\": \"0.1.0\"}, {\"criteria\": \"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.0.0-rc.10\", \"versionStartIncluding\": \"5.0.0-rc.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-06-15T14:14:37.882Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-49757\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-15T14:14:37.882Z\", \"dateReserved\": \"2026-06-01T13:45:22.449Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-06-15T10:07:17.781Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…