Exploit for CVE-2026-49757

Name: Exploit for CVE-2026-49757
Rating: 5 (9 reviews)
2026-06-21 | CVSS 9.2
## https://sploitus.com/exploit?id=1EF4AA0B-45D8-513E-B6D6-AF05E52ECFC6
# CVE-2026-49757 — AshAuthentication OAuth2/OIDC Account Takeover

Proof of Concept for **CVE-2026-49757** — a critical vulnerability in [AshAuthentication](https://hex.pm/packages/ash_authentication) where OAuth2/OIDC callbacks resolved to local user accounts by **email address** instead of the `(strategy, sub)` identity pair, allowing unauthenticated account takeover.

| Field | Value |
|---|---|
| **CVE** | CVE-2026-49757 |
| **CVSS 4.0** | 9.2 (Critical) |
| **CWE** | CWE-290 (Authentication Bypass by Spoofing) |
| **GHSA** | GHSA-777c-2fxx-qr28 |
| **Affected** | `ash_authentication >= 0.1.0, = 5.0.0-rc.0, = 4.14.0)

1. **`UserResolver` module** — resolves users by `(strategy, sub)` identity instead of email
2. **`on_untrusted_email_match` option** — `:reject` (default), `:confirm`, or `:warn` for unknown subs
3. **`trust_email_verified?` option** — per-provider flag, defaults `true` for GitHub/Google/Auth0/Slack/Apple
4. **Identity unique key** — changed from `(strategy, uid, user_id)` to `(strategy, uid)`
5. **Upsert restrictions** — `user_id` is never updated on conflict
6. **Compile-time warnings** — for strategies without `identity_resource`

## References

- [NVD — CVE-2026-49757](https://nvd.nist.gov/vuln/detail/CVE-2026-49757)
- [GHSA-777c-2fxx-qr28](https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28)
- [OpenID Connect Core §5.7 — Claim Stability](https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability)
- [AshAuthentication on Hex.pm](https://hex.pm/packages/ash_authentication)

## Disclaimer

This PoC is for educational and defensive testing purposes only. Only test against systems you own or have explicit authorization to test.