Advisories for Golang/Github.com/Pocketbase/Pocketbase package

A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians. In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to …

In order to be exploited you must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: a malicious actor register with the targeted user's email (it is unverified) at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user) …