[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-49757":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-15T16:50:22.492Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":468,"aliases":469,"duplicate_of":9,"upstream":470,"downstream":471,"duplicates":472,"related":473,"reserved_at":9,"published_at":474,"modified_at":475,"state":476,"summary":477,"references_raw":484,"kevs":509,"epss":9,"epss_history":510,"metrics":511,"affected":518},"CVE-2026-49757","Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\n\nAshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\n\nA provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges.\n\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?).\n\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-290","Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.","weakness","Incomplete","Base",[19,194,198,202,206,282,286,290,429,433],{"id":20,"name":21,"techniques":22},"CAPEC-21","Exploitation of Trusted Identifiers",[23,140,170],{"id":24,"name":25,"tactics":26,"countermeasures":36},"T1134","Access Token Manipulation",[27,30,33],{"id":28,"name":29},"TA0030","Defense Evasion",{"id":31,"name":32},"TA0005","Stealth",{"id":34,"name":35},"TA0111","Privilege Escalation",[37,42,46,50,55,59,63,67,71,76,80,84,89,94,98,102,106,110,115,119,124,128,132,136],{"id":38,"name":39,"tactic":40},"D3-CI","Configuration Inventory",{"name":41},"Model",{"id":43,"name":44,"tactic":45},"D3-NTPM","Network Traffic Policy Mapping",{"name":41},{"id":47,"name":48,"tactic":49},"D3-AM","Access Modeling",{"name":41},{"id":51,"name":52,"tactic":53},"D3-AEM","Application Exception Monitoring",{"name":54},"Detect",{"id":56,"name":57,"tactic":58},"D3-SCA","System Call Analysis",{"name":54},{"id":60,"name":61,"tactic":62},"D3-CCSA","Credential Compromise Scope Analysis",{"name":54},{"id":64,"name":65,"tactic":66},"D3-OPM","Operational Process Monitoring",{"name":54},{"id":68,"name":69,"tactic":70},"D3-PSA","Process Spawn Analysis",{"name":54},{"id":72,"name":73,"tactic":74},"D3-ST","Session Termination",{"name":75},"Evict",{"id":77,"name":78,"tactic":79},"D3-CR","Credential Revocation",{"name":75},{"id":81,"name":82,"tactic":83},"D3-ANCI","Authentication Cache Invalidation",{"name":75},{"id":85,"name":86,"tactic":87},"D3-DUC","Decoy User Credential",{"name":88},"Deceive",{"id":90,"name":91,"tactic":92},"D3-CH","Credential Hardening",{"name":93},"Harden",{"id":95,"name":96,"tactic":97},"D3-MFA","Multi-factor Authentication",{"name":93},{"id":99,"name":100,"tactic":101},"D3-CRO","Credential Rotation",{"name":93},{"id":103,"name":104,"tactic":105},"D3-TB","Token Binding",{"name":93},{"id":107,"name":108,"tactic":109},"D3-TBA","Token-based Authentication",{"name":93},{"id":111,"name":112,"tactic":113},"D3-RC","Restore Configuration",{"name":114},"Restore",{"id":116,"name":117,"tactic":118},"D3-RIC","Reissue Credential",{"name":114},{"id":120,"name":121,"tactic":122},"D3-SCF","System Call Filtering",{"name":123},"Isolate",{"id":125,"name":126,"tactic":127},"D3-CTS","Credential Transmission Scoping",{"name":123},{"id":129,"name":130,"tactic":131},"D3-EAL","Executable Allowlisting",{"name":123},{"id":133,"name":134,"tactic":135},"D3-EDL","Executable Denylisting",{"name":123},{"id":137,"name":138,"tactic":139},"D3-HBPI","Hardware-based Process Isolation",{"name":123},{"id":141,"name":142,"tactics":143,"countermeasures":147},"T1528","Steal Application Access Token",[144],{"id":145,"name":146},"TA0031","Credential Access",[148,150,152,154,156,158,160,162,164,166,168],{"id":60,"name":61,"tactic":149},{"name":54},{"id":77,"name":78,"tactic":151},{"name":75},{"id":81,"name":82,"tactic":153},{"name":75},{"id":85,"name":86,"tactic":155},{"name":88},{"id":90,"name":91,"tactic":157},{"name":93},{"id":95,"name":96,"tactic":159},{"name":93},{"id":99,"name":100,"tactic":161},{"name":93},{"id":103,"name":104,"tactic":163},{"name":93},{"id":107,"name":108,"tactic":165},{"name":93},{"id":116,"name":117,"tactic":167},{"name":114},{"id":125,"name":126,"tactic":169},{"name":123},{"id":171,"name":172,"tactics":173,"countermeasures":175},"T1539","Steal Web Session Cookie",[174],{"id":145,"name":146},[176,178,180,182,184,186,188,190,192],{"id":60,"name":61,"tactic":177},{"name":54},{"id":77,"name":78,"tactic":179},{"name":75},{"id":81,"name":82,"tactic":181},{"name":75},{"id":85,"name":86,"tactic":183},{"name":88},{"id":90,"name":91,"tactic":185},{"name":93},{"id":95,"name":96,"tactic":187},{"name":93},{"id":99,"name":100,"tactic":189},{"name":93},{"id":116,"name":117,"tactic":191},{"name":114},{"id":125,"name":126,"tactic":193},{"name":123},{"id":195,"name":196,"techniques":197},"CAPEC-22","Exploiting Trust in Client",[],{"id":199,"name":200,"techniques":201},"CAPEC-459","Creating a Rogue Certification Authority Certificate",[],{"id":203,"name":204,"techniques":205},"CAPEC-461","Web Services API Signature Forgery Leveraging Hash Function Extension Weakness",[],{"id":207,"name":208,"techniques":209},"CAPEC-473","Signature Spoof",[210,273],{"id":211,"name":212,"tactics":213,"countermeasures":216},"T1036.001","Invalid Code Signature",[214,215],{"id":28,"name":29},{"id":31,"name":32},[217,221,225,229,233,237,241,245,249,253,257,261,265,269,271],{"id":218,"name":219,"tactic":220},"D3-FA","File Analysis",{"name":54},{"id":222,"name":223,"tactic":224},"D3-FIM","File Integrity Monitoring",{"name":54},{"id":226,"name":227,"tactic":228},"D3-DA","Dynamic Analysis",{"name":54},{"id":230,"name":231,"tactic":232},"D3-EFA","Emulated File Analysis",{"name":54},{"id":234,"name":235,"tactic":236},"D3-FEV","File Eviction",{"name":75},{"id":238,"name":239,"tactic":240},"D3-DF","Decoy File",{"name":88},{"id":242,"name":243,"tactic":244},"D3-FE","File Encryption",{"name":93},{"id":246,"name":247,"tactic":248},"D3-RF","Restore File",{"name":114},{"id":250,"name":251,"tactic":252},"D3-CF","Content Filtering",{"name":123},{"id":254,"name":255,"tactic":256},"D3-LFP","Local File Permissions",{"name":123},{"id":258,"name":259,"tactic":260},"D3-RFAM","Remote File Access Mediation",{"name":123},{"id":262,"name":263,"tactic":264},"D3-CQ","Content Quarantine",{"name":123},{"id":266,"name":267,"tactic":268},"D3-CM","Content Modification",{"name":123},{"id":129,"name":130,"tactic":270},{"name":123},{"id":133,"name":134,"tactic":272},{"name":123},{"id":274,"name":275,"tactics":276,"countermeasures":281},"T1553.002","Code Signing",[277,278],{"id":28,"name":29},{"id":279,"name":280},"TA0112","Defense Impairment",[],{"id":283,"name":284,"techniques":285},"CAPEC-476","Signature Spoofing by Misrepresentation",[],{"id":287,"name":288,"techniques":289},"CAPEC-59","Session Credential Falsification through Prediction",[],{"id":291,"name":292,"techniques":293},"CAPEC-60","Reusing Session IDs (aka Session Replay)",[294,324],{"id":295,"name":296,"tactics":297,"countermeasures":301},"T1134.001","Token Impersonation/Theft",[298,299,300],{"id":28,"name":29},{"id":31,"name":32},{"id":34,"name":35},[302,304,306,308,310,312,314,316,318,320,322],{"id":60,"name":61,"tactic":303},{"name":54},{"id":77,"name":78,"tactic":305},{"name":75},{"id":81,"name":82,"tactic":307},{"name":75},{"id":85,"name":86,"tactic":309},{"name":88},{"id":90,"name":91,"tactic":311},{"name":93},{"id":95,"name":96,"tactic":313},{"name":93},{"id":99,"name":100,"tactic":315},{"name":93},{"id":103,"name":104,"tactic":317},{"name":93},{"id":107,"name":108,"tactic":319},{"name":93},{"id":116,"name":117,"tactic":321},{"name":114},{"id":125,"name":126,"tactic":323},{"name":123},{"id":325,"name":326,"tactics":327,"countermeasures":332},"T1550.004","Web Session Cookie",[328,329],{"id":28,"name":29},{"id":330,"name":331},"TA0109","Lateral Movement",[333,337,341,345,349,353,357,361,365,369,373,375,377,381,385,389,393,395,397,399,401,403,405,407,411,415,417,419,423,427],{"id":334,"name":335,"tactic":336},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":54},{"id":338,"name":339,"tactic":340},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":54},{"id":342,"name":343,"tactic":344},"D3-CSPP","Client-server Payload Profiling",{"name":54},{"id":346,"name":347,"tactic":348},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":54},{"id":350,"name":351,"tactic":352},"D3-NTSA","Network Traffic Signature Analysis",{"name":54},{"id":354,"name":355,"tactic":356},"D3-APCA","Application Protocol Command Analysis",{"name":54},{"id":358,"name":359,"tactic":360},"D3-NTCD","Network Traffic Community Deviation",{"name":54},{"id":362,"name":363,"tactic":364},"D3-RTSD","Remote Terminal Session Detection",{"name":54},{"id":366,"name":367,"tactic":368},"D3-PLA","Process Lineage Analysis",{"name":54},{"id":370,"name":371,"tactic":372},"D3-PSMD","Process Self-Modification Detection",{"name":54},{"id":68,"name":69,"tactic":374},{"name":54},{"id":60,"name":61,"tactic":376},{"name":54},{"id":378,"name":379,"tactic":380},"D3-PT","Process Termination",{"name":75},{"id":382,"name":383,"tactic":384},"D3-PS","Process Suspension",{"name":75},{"id":386,"name":387,"tactic":388},"D3-HR","Host Reboot",{"name":75},{"id":390,"name":391,"tactic":392},"D3-HS","Host Shutdown",{"name":75},{"id":77,"name":78,"tactic":394},{"name":75},{"id":81,"name":82,"tactic":396},{"name":75},{"id":85,"name":86,"tactic":398},{"name":88},{"id":90,"name":91,"tactic":400},{"name":93},{"id":95,"name":96,"tactic":402},{"name":93},{"id":99,"name":100,"tactic":404},{"name":93},{"id":116,"name":117,"tactic":406},{"name":114},{"id":408,"name":409,"tactic":410},"D3-NTF","Network Traffic Filtering",{"name":123},{"id":412,"name":413,"tactic":414},"D3-KBPI","Kernel-based Process Isolation",{"name":123},{"id":120,"name":121,"tactic":416},{"name":123},{"id":137,"name":138,"tactic":418},{"name":123},{"id":420,"name":421,"tactic":422},"D3-ABPI","Application-based Process Isolation",{"name":123},{"id":424,"name":425,"tactic":426},"D3-WSAM","Web Session Access Mediation",{"name":123},{"id":125,"name":126,"tactic":428},{"name":123},{"id":430,"name":431,"techniques":432},"CAPEC-667","Bluetooth Impersonation AttackS (BIAS)",[],{"id":434,"name":435,"techniques":436},"CAPEC-94","Adversary in the Middle (AiTM)",[437],{"id":438,"name":439,"tactics":440,"countermeasures":445},"T1557","Adversary-in-the-Middle",[441,442],{"id":145,"name":146},{"id":443,"name":444},"TA0100","Collection",[446,448,450,452,454,456,458,460,462,466],{"id":334,"name":335,"tactic":447},{"name":54},{"id":338,"name":339,"tactic":449},{"name":54},{"id":342,"name":343,"tactic":451},{"name":54},{"id":346,"name":347,"tactic":453},{"name":54},{"id":350,"name":351,"tactic":455},{"name":54},{"id":354,"name":355,"tactic":457},{"name":54},{"id":358,"name":359,"tactic":459},{"name":54},{"id":362,"name":363,"tactic":461},{"name":54},{"id":463,"name":464,"tactic":465},"D3-CAA","Connection Attempt Analysis",{"name":54},{"id":408,"name":409,"tactic":467},{"name":123},[],[],[],[],[],[],"2026-06-15T10:07:17.781Z","2026-06-15T14:14:37.882Z","Received",{"cisa_kev":478,"cisa_ransomware":478,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":479,"severity_score":480,"severity_version":481,"severity_source":482,"severity_vector":483,"severity_status":476},false,"critical",9.2,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[485,492,496,500,505],{"url":486,"sources":487,"tags":489},"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28",[482,488],"nvd",[490,491],"Vendor Advisory","Related",{"url":493,"sources":494,"tags":495},"https://cna.erlef.org/cves/CVE-2026-49757.html",[482,488],[491],{"url":497,"sources":498,"tags":499},"https://osv.dev/vulnerability/EEF-CVE-2026-49757",[482,488],[491],{"url":501,"sources":502,"tags":503},"https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d",[482,488],[504],"Patch",{"url":506,"sources":507,"tags":508},"https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7",[482,488],[504],[],[],[512,515],{"source":482,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":513},{"baseScore":480,"baseSeverity":514,"vectorString":483,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":488,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":516},{"baseScore":480,"baseSeverity":514,"vectorString":517,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[519],{"ecosystem":9,"name":520,"vendor":521,"product":520,"cpe_part":522,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":523},"ash_authentication","team-alembic","a",[524,531,535],{"version":525,"is_range":526,"range_type":482,"version_start":527,"version_start_type":528,"version_end":529,"version_end_type":530,"fixed_in":9},">= 0.1.0, \u003C 4.14.0",true,"0.1.0","including","4.14.0","excluding",{"version":532,"is_range":526,"range_type":482,"version_start":533,"version_start_type":528,"version_end":534,"version_end_type":530,"fixed_in":9},">= 5.0.0-rc.0, \u003C 5.0.0-rc.10","5.0.0-rc.0","5.0.0-rc.10",{"version":536,"is_range":526,"range_type":482,"version_start":537,"version_start_type":528,"version_end":538,"version_end_type":530,"fixed_in":9},">= c5f589058e04239263f50a1430eb17ea6d5dd1a2, \u003C *","c5f589058e04239263f50a1430eb17ea6d5dd1a2","*"]