CVE-2026-49757
Deferred Deferred - Pending Action

Authentication Bypass in AshAuthentication via OAuth2/OIDC Spoofing

Vulnerability report for CVE-2026-49757, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: EEF

Description

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core Β§5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-05
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
team-alembic ash_authentication to 4.14.0 (exc)
team-alembic ash_authentication to 5.0.0-rc.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves an authentication bypass in AshAuthentication's OAuth2/OIDC strategies due to user matching by email rather than the unique iss/sub claims. Detection involves identifying if your system is running a vulnerable version of AshAuthentication (versions from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10) and if OAuth2/OIDC sign-ins are matched by email instead of issuer and subject claims.

To detect exploitation attempts or presence of the vulnerability, you can:

  • Check the version of AshAuthentication in your application dependencies to confirm if it falls within the vulnerable range.
  • Audit OAuth2/OIDC login logs for suspicious sign-ins where multiple distinct OAuth provider identities share the same email address, especially if email_verified claims are false or missing.
  • Look for unusual account linkages or new OAuth identities linked to existing local accounts without proper email verification.

Specific commands depend on your environment and logging setup, but examples include:

  • Using grep or similar tools on authentication logs to find repeated email addresses with different OAuth provider subject (sub) values.
  • For example, in a Unix-like system, you might run: grep -i 'email=' /path/to/authentication/logs | sort | uniq -c | sort -nr to identify frequently used emails.
  • Query your database for user identities linked by email but with different OAuth provider iss/sub identifiers to detect potential mismatches.

Since the vulnerability is related to how AshAuthentication resolves users, reviewing your application's OAuth2/OIDC configuration for the presence or absence of the mandatory identity_resource and the trust_email_verified? setting can help detect if your system is vulnerable.

Executive Summary

CVE-2026-49757 is an authentication bypass vulnerability in the AshAuthentication library used for OAuth2/OIDC sign-in. The issue arises because the library matched local users by their email address instead of the OpenID Connect issuer (iss) and subject (sub) claims, which are the only stable and unique identifiers for users according to the OpenID Connect specification.

This flaw allows an attacker to register an account on any accepted OAuth provider using a victim's email addressβ€”even if the email is unverified, reused, or marked as email_verified: falseβ€”and gain access to the victim's existing local account with full privileges. The vulnerability affects versions of AshAuthentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

The fix involves changing the user resolution mechanism to rely on the (strategy, sub) identity stored in a user identity resource, and only linking a new sub to an existing local account by email when the provider's email_verified claim is trusted.

Impact Analysis

This vulnerability can lead to a critical security impact by allowing an unauthenticated attacker to take over local user accounts. By exploiting the email-based user matching flaw, an attacker can gain full local privileges of the victim's account without needing to authenticate legitimately.

The attacker can register an account on an OAuth provider with the victim's email and then sign in through the vulnerable AshAuthentication system, which incorrectly associates the attacker with the victim's local account.

This results in a complete account takeover, potentially exposing sensitive data, allowing unauthorized actions, and compromising the security of the affected application.

Mitigation Strategies

To mitigate the CVE-2026-49757 vulnerability, immediately upgrade AshAuthentication to version 4.14.0 or later, or to 5.0.0-rc.10 or later if using the 5.x release candidates.

Ensure that all OAuth2 and OIDC strategies require and use the mandatory identity_resource option, which resolves users by the (strategy, sub) identity rather than by email.

Configure the trust_email_verified? option carefully to only trust providers that reliably assert email ownership, so that linking by email is only allowed when the email_verified claim is trusted.

Set the on_untrusted_email_match option to :reject (default) to refuse sign-ins when the email cannot be trusted, or to :confirm to require email confirmation before linking accounts.

Review and update your OAuth provider configurations and documentation to align with the new identity verification mechanisms introduced in the patches.

Compliance Impact

The vulnerability allows an unauthenticated attacker to take over local user accounts by exploiting improper user matching during OAuth2/OIDC sign-in, leading to unauthorized access to user data and privileges.

Such unauthorized access can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on user authentication and access to personal or sensitive information.

Because the flaw enables account takeover without proper verification, it undermines the security assurances needed to comply with these standards, potentially leading to data breaches and regulatory non-compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart