All Docs
FeaturesCalmony PayUpdated March 15, 2026

Security Advisory: OAuth Account Linking Vulnerability (SEC-03)

Security Advisory: OAuth Account Linking Vulnerability (SEC-03)

Severity: High
Control: SEC-03
OWASP Category: Broken Authentication
Affected versions: < 1.0.54
Fixed in: v1.0.54
Affected file: src/platform/auth/providers.ts

Summary

Versions prior to v1.0.54 configured all four OAuth providers with allowDangerousEmailAccountLinking: true. This setting bypasses account isolation by automatically merging any incoming OAuth identity with an existing account that shares the same email address — without requiring the user to be authenticated or to give explicit consent.

Affected Providers

  • Google
  • GitHub
  • Microsoft Entra
  • Okta

Vulnerability Detail

When allowDangerousEmailAccountLinking is enabled, the authentication library will silently link a new OAuth login to an existing account if both share the same email address. This creates an account takeover vector:

  1. Victim has an account registered via Google using user@example.com.
  2. Attacker registers a GitHub account and verifies user@example.com with GitHub.
  3. Attacker authenticates via GitHub OAuth.
  4. Because the emails match, the attacker's GitHub identity is merged into the victim's existing account.
  5. Attacker now has full access to the victim's account.

This attack does not require any interaction from the victim and bypasses all password-based protections.

Resolution in v1.0.54

allowDangerousEmailAccountLinking: true has been removed from all provider configurations in src/platform/auth/providers.ts.

The default behaviour is now strict account isolation: an OAuth identity will only be linked to an existing account if the user is already authenticated and explicitly initiates the link.

Recommended Posture

ScenarioRecommended approach
No cross-provider linking neededLeave allowDangerousEmailAccountLinking unset (default: false)
Cross-provider linking desiredImplement an explicit consent flow — user must be authenticated first, then confirm the link
Partial linking requiredRestrict to providers that guarantee email verification, and still require user consent

Action Required

If you are running a version earlier than v1.0.54, upgrade immediately. No configuration changes are required after upgrading — the insecure setting has been removed at the source.

If your application previously relied on automatic cross-provider account merging as a feature, you will need to implement an explicit consent-based linking flow before users can connect multiple OAuth providers to a single account.

References