HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49757Published Modified CNA EEF

CVE-2026-49757: OAuth2/OIDC account takeover in AshAuthentication via email-based user matching

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
*
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass by spoofing in AshAuthentication (Elixir library by team-alembic) allows an unauthenticated attacker to take over any local user account via OAuth2 or OIDC sign-in. The vulnerability is reachable over the network with no authentication required and stems from the library matching incoming OAuth/OIDC logins to local accounts by email address rather than by the stable iss/sub claim pair mandated by OpenID Connect Core §5.7. Successful exploitation gives the attacker full access to the victim's local account, including all privileges, stored data, and any downstream resources tied to that identity. Patched-image rebuilds at versions 4.14.0 and 5.0.0-rc.10 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ash_authentication as a dependency. Any image whose manifest resolves to an affected version range (ash_authentication 0.1.0 through 4.13.x, or 5.0.0-rc.0 through 5.0.0-rc.9) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 9.2 (Critical) and weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer org. Per-environment policy configuration lets customers control escalation thresholds, suppression rules, and notification channels without manual triage overhead.

Available
Patch

A patched-image rebuild at ash_authentication 4.14.0 (or 5.0.0-rc.10 for pre-release tracks) becomes available in HarborGuard the moment the fixed upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable OAuth2/OIDC callback endpoint is exposed over the network, so the attacker must be able to reach the service via standard HTTP/HTTPS.

  • AuthenticationNot required

    No existing account or session on the target application is needed; the attacker initiates a fresh OAuth/OIDC sign-in flow as an anonymous user.

  • Victim interactionNot required

    The victim does not need to take any action; the attacker completes the OAuth flow independently using an account they control on an accepted identity provider.

  • Attack complexityDetail

    Base exploit complexity is low and condition-free, though the attack topology notes (AT:P) that the attacker must be able to register an account on an accepted OAuth provider using the victim's email address, or benefit from provider-side email reuse or reclamation.

Blast Radius

  • The attacker signs in as the victim and inherits all of the victim's local application privileges, roles, and session rights.
  • All data readable by the victim's account becomes directly accessible, including profile data, stored records, and any application secrets scoped to that user.
  • The attacker can modify or delete any data the victim's account has write access to, including persisted rows, settings, and linked resources.
  • The application service itself is subject to disruption if the attacker exercises destructive permissions held by the victim's account.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion for any image containing ash_authentication in the affected version ranges (0.1.0 to 4.13.x, or 5.0.0-rc.0 to 5.0.0-rc.9). For environments where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version (4.14.0 for stable track; 5.0.0-rc.10 for pre-release track), executes regression tests, and opens a pull request against affected workloads. Given the Critical CVSS score and the zero-interaction, network-accessible attack surface, teams that have not yet enabled auto-remediation are advised to treat this as a manual priority patch. Where auto-remediation is not permitted, consider applying a network policy to restrict the OAuth callback endpoint to known identity-provider egress ranges as a compensating control while the upgrade is staged. HarborGuard re-evaluates the advisory on every ingest cycle, so any further upstream changes to affected version ranges or fix versions are reflected automatically.

See how HarborGuard automates this

Fix available

*4.14.05.0.0-rc.10
Patch commits
Affected packages
  • team-alembic / ash_authentication
    < 4.14.0 (from 0.1.0) · < 5.0.0-rc.10 (from 5.0.0-rc.0)
  • team-alembic / ash_authentication
    < * (from c5f589058e04239263f50a1430eb17ea6d5dd1a2)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References