CVE-2024-38351
📋 TL;DR
This vulnerability in PocketBase allows account takeover when both OAuth2 and password authentication are enabled. A malicious user can register with a victim's email address, then when the victim later signs up via OAuth2, the accounts become linked without resetting the password, giving the attacker access. This affects all PocketBase instances with both authentication methods enabled.
💻 Affected Systems
- PocketBase
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, potentially leading to data theft, privilege escalation, or unauthorized actions within the application.
Likely Case
Targeted account compromise of specific users, particularly those who use OAuth2 after an attacker has pre-registered their email.
If Mitigated
No impact if patched or if only one authentication method is enabled.
🎯 Exploit Status
Exploitation requires user interaction (victim signing up via OAuth2) but the attack flow is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.22.14
Vendor Advisory: https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v
Restart Required: Yes
Instructions:
1. Backup your PocketBase data. 2. Download version 0.22.14 or later from the official repository. 3. Replace the existing PocketBase binary with the new version. 4. Restart the PocketBase service.
🔧 Temporary Workarounds
Disable one authentication method
allDisable either OAuth2 or password authentication to prevent the vulnerable account linking scenario.
Modify PocketBase configuration to disable either OAuth2 providers or password authentication
🧯 If You Can't Patch
- Disable either OAuth2 or password authentication methods immediately
- Enable MFA/OTP (available in v0.23.0) once released and monitor for suspicious login alerts
🔍 How to Verify
Check if Vulnerable:
Check if PocketBase version is below 0.22.14 and both OAuth2 and password authentication are enabled.Check Version:
./pocketbase --versionVerify Fix Applied:
Confirm version is 0.22.14 or higher and verify the patch resets passwords when linking unverified accounts via OAuth2.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication method usage for same account
- Password login after OAuth2 linking for previously unverified accounts
- Email alerts about password login with linked OAuth2 accounts
Network Indicators:
- Unusual authentication patterns between OAuth2 and password methods
SIEM Query:
Authentication logs showing user login via password after recent OAuth2 account creation/linking