CVE-2026-49757
Received Received - Intake
Authentication Bypass in AshAuthentication via OAuth2/OIDC Spoofing

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: EEF

Description
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core Β§5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-49757
EUVD
EUVD-2026-36714
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
team-alembic ash_authentication to 4.14.0 (exc)
team-alembic ash_authentication to 5.0.0-rc.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49757 is an authentication bypass vulnerability in the AshAuthentication library used for OAuth2/OIDC sign-in. The issue arises because the library matched local users by their email address instead of the OpenID Connect issuer (iss) and subject (sub) claims, which are the only stable and unique identifiers for users according to the OpenID Connect specification.

This flaw allows an attacker to register an account on any accepted OAuth provider using a victim's email addressβ€”even if the email is unverified, reused, or marked as email_verified: falseβ€”and gain access to the victim's existing local account with full privileges. The vulnerability affects versions of AshAuthentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

The fix involves changing the user resolution mechanism to rely on the (strategy, sub) identity stored in a user identity resource, and only linking a new sub to an existing local account by email when the provider's email_verified claim is trusted.

Impact Analysis

This vulnerability can lead to a critical security impact by allowing an unauthenticated attacker to take over local user accounts. By exploiting the email-based user matching flaw, an attacker can gain full local privileges of the victim's account without needing to authenticate legitimately.

The attacker can register an account on an OAuth provider with the victim's email and then sign in through the vulnerable AshAuthentication system, which incorrectly associates the attacker with the victim's local account.

This results in a complete account takeover, potentially exposing sensitive data, allowing unauthorized actions, and compromising the security of the affected application.

Mitigation Strategies

To mitigate the CVE-2026-49757 vulnerability, immediately upgrade AshAuthentication to version 4.14.0 or later, or to 5.0.0-rc.10 or later if using the 5.x release candidates.

Ensure that all OAuth2 and OIDC strategies require and use the mandatory identity_resource option, which resolves users by the (strategy, sub) identity rather than by email.

Configure the trust_email_verified? option carefully to only trust providers that reliably assert email ownership, so that linking by email is only allowed when the email_verified claim is trusted.

Set the on_untrusted_email_match option to :reject (default) to refuse sign-ins when the email cannot be trusted, or to :confirm to require email confirmation before linking accounts.

Review and update your OAuth provider configurations and documentation to align with the new identity verification mechanisms introduced in the patches.

Compliance Impact

The vulnerability allows an unauthenticated attacker to take over local user accounts by exploiting improper user matching during OAuth2/OIDC sign-in, leading to unauthorized access to user data and privileges.

Such unauthorized access can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on user authentication and access to personal or sensitive information.

Because the flaw enables account takeover without proper verification, it undermines the security assurances needed to comply with these standards, potentially leading to data breaches and regulatory non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart