CVE-2026-49757— team-alembic ash authentication 授权问题漏洞

OAuth2/OIDC account takeover in AshAuthentication via email-based user matching

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers. A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges. The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?). This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.

N/A

使用欺骗进行的认证绕过

team-alembic ash authentication 授权问题漏洞

team-alembic ash authentication是team-alembic团队的一个身份认证系统。 team-alembic ash authentication 0.1.0至4.14.0之前版本和5.0.0-rc.0至5.0.0-rc.10之前版本存在授权问题漏洞，该漏洞源于使用电子邮件地址而非OpenID Connect iss/sub声明组合进行用户匹配，可能导致未经身份验证的攻击者通过OAuth2/OIDC登录获取本地用户完整权限。

N/A

N/A