CVE-2026-49757: CWE-290 Authentication Bypass by Spoofing in team-alembic ash_authentication
CVE-2026-49757 is a critical authentication bypass vulnerability in team-alembic's ash_authentication component. The flaw allows attackers to take over local user accounts via OAuth2/OIDC sign-in by matching users based on email rather than the required unique OpenID Connect iss/sub claims. This enables an unauthenticated attacker who can register an OAuth provider account with a victim's email to gain full local privileges. The issue affects versions 0.1.0, all versions from 0.1.0 up to but excluding 4.14.0, and versions 5.0.0-rc.0 up to but excluding 5.0.0-rc.10. The vulnerability has a CVSS 4.0 score of 9.2 (critical).
AI Analysis
Technical Summary
The vulnerability in ash_authentication arises because OAuth2/OIDC strategies matched local users by email address instead of the OpenID Connect Core mandated unique identifier (iss/sub claim combination). Since email addresses can be unverified, reused, or reclaimed, an attacker registering an OAuth provider account with the victim's email can bypass authentication and assume the victim's local account privileges. The fix involves resolving users by the (strategy, sub) identity and only linking new subs to existing accounts when the provider's email_verified claim is trusted. This vulnerability affects ash_authentication versions =0.1.0, >=0.1.0 <4.14.0, and =5.0.0-rc.0 <5.0.0-rc.10.
Potential Impact
An unauthenticated attacker can bypass authentication controls and take over local user accounts by exploiting the email-based user matching flaw in OAuth2/OIDC sign-in. This results in full local privileges being granted to the attacker, potentially compromising the affected system's security and user data integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed by changing user resolution to rely on the unique (strategy, sub) identity and verifying the email_verified claim before linking accounts. Until an official fix is confirmed, avoid relying on email-based user matching for OAuth2/OIDC authentication.
CVE-2026-49757: CWE-290 Authentication Bypass by Spoofing in team-alembic ash_authentication
Description
CVE-2026-49757 is a critical authentication bypass vulnerability in team-alembic's ash_authentication component. The flaw allows attackers to take over local user accounts via OAuth2/OIDC sign-in by matching users based on email rather than the required unique OpenID Connect iss/sub claims. This enables an unauthenticated attacker who can register an OAuth provider account with a victim's email to gain full local privileges. The issue affects versions 0.1.0, all versions from 0.1.0 up to but excluding 4.14.0, and versions 5.0.0-rc.0 up to but excluding 5.0.0-rc.10. The vulnerability has a CVSS 4.0 score of 9.2 (critical).
CVSS v4.0
Score 9.2critical
Affected software
pkg:github/team-alembic/ash_authenticationcpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ash_authentication arises because OAuth2/OIDC strategies matched local users by email address instead of the OpenID Connect Core mandated unique identifier (iss/sub claim combination). Since email addresses can be unverified, reused, or reclaimed, an attacker registering an OAuth provider account with the victim's email can bypass authentication and assume the victim's local account privileges. The fix involves resolving users by the (strategy, sub) identity and only linking new subs to existing accounts when the provider's email_verified claim is trusted. This vulnerability affects ash_authentication versions =0.1.0, >=0.1.0 <4.14.0, and =5.0.0-rc.0 <5.0.0-rc.10.
Potential Impact
An unauthenticated attacker can bypass authentication controls and take over local user accounts by exploiting the email-based user matching flaw in OAuth2/OIDC sign-in. This results in full local privileges being granted to the attacker, potentially compromising the affected system's security and user data integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed by changing user resolution to rely on the unique (strategy, sub) identity and verifying the email_verified claim before linking accounts. Until an official fix is confirmed, avoid relying on email-based user matching for OAuth2/OIDC authentication.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-01T13:45:22.449Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2fe9580b89be6888e98672
Added to database: 6/15/2026, 12:00:24 PM
Last enriched: 6/15/2026, 12:15:23 PM
Last updated: 6/15/2026, 2:05:00 PM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.