CVE-2026-49757
Severity CVSS v4.0:
CRITICAL
Type:
Unavailable / Other
Publication date:
15/06/2026
Last modified:
15/06/2026
Description
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.<br />
<br />
AshAuthentication&#39;s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.<br />
<br />
A provider login presenting a victim&#39;s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim&#39;s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim&#39;s email (or who benefits from provider-side email reuse or reclamation) obtains the victim&#39;s full local privileges.<br />
<br />
The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider&#39;s email_verified claim is trusted (trust_email_verified?).<br />
<br />
This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Impact
Base Score 4.0
9.20
Severity 4.0
CRITICAL
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-49757.html
- https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7
- https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d
- https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28
- https://osv.dev/vulnerability/EEF-CVE-2026-49757