Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-49757

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-15 Jun, 2026 | 10:07
Updated At-15 Jun, 2026 | 14:14
Rejected At-
Credits

OAuth2/OIDC account takeover in AshAuthentication via email-based user matching

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:15 Jun, 2026 | 10:07
Updated At:15 Jun, 2026 | 14:14
Rejected At:
▼CVE Numbering Authority (CNA)
OAuth2/OIDC account takeover in AshAuthentication via email-based user matching

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

Affected Products
Vendor
team-alembic
Product
ash_authentication
Collection URL
https://repo.hex.pm
Package Name
ash_authentication
Repo
https://github.com/team-alembic/ash_authentication
CPEs
  • cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange'
  • 'Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation'
Program Files
  • lib/ash_authentication/strategies/oauth2/identity_change.ex
  • lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex
Program Routines
  • 'Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange':change/3
  • 'Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation':prepare/3
Default Status
unaffected
Versions
Affected
  • From 0.1.0 before 4.14.0 (semver)
  • From 5.0.0-rc.0 before 5.0.0-rc.10 (semver)
Vendor
team-alembic
Product
ash_authentication
Collection URL
https://github.com
Package Name
team-alembic/ash_authentication
Repo
https://github.com/team-alembic/ash_authentication.git
CPEs
  • cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange'
  • 'Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation'
Program Files
  • lib/ash_authentication/strategies/oauth2/identity_change.ex
  • lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex
Program Routines
  • 'Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange':change/3
  • 'Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation':prepare/3
Default Status
unaffected
Versions
Affected
  • From c5f589058e04239263f50a1430eb17ea6d5dd1a2 before * (git)
    • -> unaffectedfrom728b8d28c1b5f465fa1116ef044a815300fc733d
    • -> unaffectedfrom64530644f9b37ebb76ca14aeb83a77597a0034b7
Problem Types
TypeCWE IDDescription
CWECWE-290CWE-290 Authentication Bypass by Spoofing
Type: CWE
CWE ID: CWE-290
Description: CWE-290 Authentication Bypass by Spoofing
Metrics
VersionBase scoreBase severityVector
4.09.2CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 9.2
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-21CAPEC-21 Exploitation of Trusted Identifiers
CAPEC ID: CAPEC-21
Description: CAPEC-21 Exploitation of Trusted Identifiers
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Jarl André Hübenthal
remediation developer
James Harton
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-49757.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-49757
related
https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d
patch
https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7
patch
Hyperlink: https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-49757.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-49757
Resource:
related
Hyperlink: https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d
Resource:
patch
Hyperlink: https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:15 Jun, 2026 | 12:16
Updated At:15 Jun, 2026 | 20:55

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.2CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 9.2
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-290Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-290
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.erlef.org/cves/CVE-2026-49757.html6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b76b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr286b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://osv.dev/vulnerability/EEF-CVE-2026-497576b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
Hyperlink: https://cna.erlef.org/cves/CVE-2026-49757.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-49757
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found

CVE-2026-56020
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-9.2||CRITICAL
EPSS-0.29% / 20.26%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 16:12
Updated-22 Jun, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Webmin HTTP header authentication bypass

The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641.

Action-Not Available
Vendor-Webmin
Product-Webmin
CWE ID-CWE-290
Authentication Bypass by Spoofing
Details not found