Summary
PocketBase performs password auth and OAuth2 unverified email linking
In order to be exploited you must have both OAuth2 and Password auth methods enabled.
A possible attack scenario could be:
- a malicious actor register with the targeted user's email (it is unverified)
- at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user)
- on successful OAuth2 auth we search for an existing PocketBase user matching with the OAuth2 user's email and associate them
- because we haven't changed the password of the existing PocketBase user during the linking, the malicious actor has access to the targeted user account and will be able to login with the initially created email/password
To prevent this for happening we now reset the password for this specific case if the previously created user wasn't verified (an exception to this is if the linking is explicit/manual, aka. when you send Authorization:TOKEN with the OAuth2 auth call).
Additionally to warn existing users we now send an email alert in case the user has logged in with password but has at least one OAuth2 account linked. It looks something like:
Hello,
Just to let you know that someone has logged in to your Acme account using a password while you already have OAuth2 GitLab auth linked.
If you have recently signed in with a password, you may disregard this email.
If you don't recognize the above action, you should immediately change your Acme account password.
Thanks,
Acme team
The flow will be further improved with the ongoing refactoring and we will start sending emails for "unrecognized device" logins (OTP and MFA is already implemented and will be available with the next v0.23.0 release in the near future).
Impact
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
CVE-2024-38351 has a CVSS score of 5.4 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.22.14); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-38351? CVE-2024-38351 is a medium-severity improper authentication vulnerability in github.com/pocketbase/pocketbase (go), affecting versions < 0.22.14. It is fixed in 0.22.14. The application does not adequately verify the identity of a user, device, or process before granting access.
- How severe is CVE-2024-38351? CVE-2024-38351 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/pocketbase/pocketbase are affected by CVE-2024-38351? github.com/pocketbase/pocketbase (go) versions < 0.22.14 is affected.
- Is there a fix for CVE-2024-38351? Yes. CVE-2024-38351 is fixed in 0.22.14. Upgrade to this version or later.
- Is CVE-2024-38351 exploitable, and should I be worried? Whether CVE-2024-38351 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-38351 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-38351? Upgrade
github.com/pocketbase/pocketbaseto 0.22.14 or later.