CVE Catalog

CVE-2026-49757

CriticalCVSS 9.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

CVE-2026-49757 is an authentication bypass vulnerability in AshAuthentication that allows local user account takeover via OAuth2/OIDC sign-in. The issue arises from using the email address as a unique identifier instead of the iss/sub combination from OpenID Connect.

Risk Assessment

An attacker who registers an account with the victim's email on any accepted OAuth provider can gain full privileges of the victim's local account. This poses a serious threat to user data security.

Recommendation

It is recommended to update AshAuthentication to version 4.14.0 or 5.0.0-rc.10 and implement user identification strategies in accordance with OpenID Connect requirements to avoid using email addresses as unique identifiers.

Original NVD description (English source)

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS