HB
Email is Not Identity: CVE-2026-49757 — Account Takeover in AshAuthentication's OAuth2/OIDC Strategies
On June 15, 2026, a critical vulnerability was disclosed in AshAuthentication — the authentication extension for the Ash Framework in Elixir — that allows an unauthenticated attacker to take over any local user’s account through the OAuth2 or OpenID Connect sign-in flow. T…