CVE-2026-44166: PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade

A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians.

In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. “A”. When the victim gets invited or decides to sign up to your app on their own with provider “B” (PocketBase OAuth2 auth requires to be with a different provider because we don’t allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to “verified” and its old password reset.

The upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.

Or in other words, the vulnerability is similar to the mixed password + OAuth2 auth pre-hijacking issue that we had in the past but with a slightly different angle.

So with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on “unverified” to “verified” upgrades.

While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 (or to v0.22.42 if you are using an older <v0.23.0 release).