## https://sploitus.com/exploit?id=98D7FC0C-3955-56D1-8337-74FE94A341E4
# CVE-2026-44166 โ PocketBase OAuth2 Account Pre-Hijacking
Self-contained lab + writeup for **CVE-2026-44166**: an attacker with any account on a configured
OAuth2 provider can pre-claim a victim's email on an OAuth2-enabled PocketBase collection, locking the
real owner out (single provider) or silently co-owning their account (two+ providers).
- **Affected:** `= 0.30.0, victim owns the account
[3] Attacker re-auth: email=attacker@evil.com id=... same-as-victim=False
```
## Files
| File | Purpose |
|---|---|
| [`WRITEUP.md`](WRITEUP.md) | Full root-cause analysis, both attack variants, remediation, detection |
| `fetch_binaries.py` | Downloads the 0.37.3 / 0.37.4 binaries for your OS/arch |
| `mock_oauth2_server.py` | ~30-line offline mock OAuth2 provider (token + userinfo) |
| `poc.py` | Variant A exploit against the vulnerable build |
| `verify_fix.py` | Runs the same scenario on any build and reports the outcome |
## โ ๏ธ Authorised use only
For education and authorised security testing (your own lab, CTF/HTB boxes, in-scope bug bounty
targets). The lab is deliberately offline so it never touches third-party infrastructure.