What is CVE-2026-44166?

CVE-2026-44166 is a high-severity vulnerability in Pocketbase, classified under Improper Authentication. CVSS score: 7.6/10. Published 2026-05-12.

How severe is CVE-2026-44166?

High severity. CVSS v3 base score is 7.6 out of 10.

Auth bypass in Pocketbase

CVE-2026-44166

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticati…

Vulnerability class: Broken Authentication

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L.

Affected products

Pocketbase — versions < 0.22.42, >= 0.30.0, < 0.37.4

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2026-44166?: CVE-2026-44166 is a high-severity vulnerability in Pocketbase, classified under Improper Authentication. CVSS score: 7.6/10. Published 2026-05-12.
How severe is CVE-2026-44166?: High severity. CVSS v3 base score is 7.6 out of 10.