High severityNVD Advisory· Published Dec 8, 2020· Updated Aug 4, 2024

omniauth-apple allows attacker to fake their email address during authentication

CVE-2020-26254

Description

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
omniauth-appleRubyGems	< 1.0.1	1.0.1

Affected products

Nhosoya/Omniauth Applev5
Range: < 1.0.1

Patches

b37d5409213a

Use only verified email address to prevent fake email address

https://github.com/nhosoya/omniauth-applenhosoyaDec 2, 2020via ghsa

commit

2 files changed · +16 −1

lib/omniauth/strategies/apple.rb+1 −1 modified

@@ -104,7 +104,7 @@ def user_info
       end
 
       def email
-        user_info['email'] || id_info['email']
+        id_info['email']
       end
 
       def first_name

spec/omniauth/strategies/apple_spec.rb+15 −0 modified

@@ -252,6 +252,21 @@
       end
     end
 
+    context 'with a spoofed email in the user payload' do
+      before do
+        request.params['user'] = {
+          name: {
+            firstName: 'first',
+            lastName: 'last'
+          },
+          email: "spoofed@example.com"
+        }.to_json
+      end
+
+      it 'should return the true email' do
+        expect(subject.info[:email]).to eq('something@privatrerelay.appleid.com')
+      end
+    end
   end
 
   describe '#extra' do

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-49r3-2549-3633ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-26254ghsaADVISORY
github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14c8d3d07d9016ghsax_refsource_MISCWEB
github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633ghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-apple/CVE-2020-26254.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000