VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-36537

CVE-2026-36537

Description

ThingsBoard v4.3.0.1 improperly trusts user-supplied email in OAuth callback, allowing remote attackers to take over any account without credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ThingsBoard v4.3.0.1 improperly trusts user-supplied email in OAuth callback, allowing remote attackers to take over any account without credentials.

Vulnerability

ThingsBoard versions 4.3.0.1 (and potentially earlier, before 4.2.2.1 and 4.3.1.1) are vulnerable to an authentication bypass during the OAuth 2.0 authorization code exchange. The /login/oauth2/code/ endpoint incorrectly trusts user-supplied identity data within the user parameter of the JSON request body. By manipulating the email field in that object, a remote attacker can bypass authentication without possessing the target user's credentials. The vulnerability was fixed in versions 4.2.2.1 and 4.3.1.1 via pull request #15120 [1].

Exploitation

An attacker must first sign up or sign in via Apple ID (or any OAuth provider that sends an email claim) and then initiate a new sign-in request, intercepting the request to the /login/oauth2/code/ endpoint. The original request body does not contain a user field. The attacker adds a JSON user object containing the victim's email address (e.g., {"email":"victim@example.com"}). The server accepts this supplied identity and responds with a redirection containing a JWT access token for the victim's account. The attacker can then use that token to access the ThingsBoard web interface as the victim [1].

Impact

Successful exploitation results in complete account takeover. The attacker gains full access to the victim's ThingsBoard account, including all associated tenants, dashboards, devices, and other data, without any credentials for that account. The privilege level is that of the victim user, which could be an administrator or any other role [1].

Mitigation

ThingsBoard has released fixed versions 4.2.2.1 and 4.3.1.1, which are no longer vulnerable. The fix was merged in pull request #15120. Users should upgrade to the latest patched version immediately. No workarounds have been published. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].

References
  1. Account Takeover via Sign in with Apple in ThingsBoard

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application trusts user-supplied identity data (the email in the `user` parameter) during the OAuth authorization code exchange instead of validating it against the OAuth provider's response."

Attack vector

An attacker first signs up for a legitimate account on the ThingsBoard platform. During a subsequent OAuth sign-in flow (e.g., Sign in with Apple), the attacker intercepts the POST request to `/login/oauth2/code/` and adds a `user` JSON field containing the email address of any existing victim account. The server trusts this injected email and completes the OAuth exchange on behalf of the victim, returning a JWT access token for the victim's account. The attacker can then use that token to fully control the victim's account.

Affected code

The vulnerability lies in the OAuth 2.0 authorization code exchange flow at the `/login/oauth2/code/` endpoint. The application improperly trusts the `user` parameter supplied by the client, allowing an attacker to inject an arbitrary email address into the JSON body of the sign-in request.

What the fix does

The patch (PR #15120) is not shown in the bundle, but the advisory states that ThingsBoard v4.2.2.1 and v4.3.1.1 are no longer vulnerable. The fix likely validates that the email address in the `user` parameter matches the identity data returned by the OAuth provider, preventing an attacker from injecting an arbitrary victim email during the authorization code exchange.

Preconditions

  • authThe attacker must have a valid account on the ThingsBoard instance.
  • networkThe attacker must be able to intercept and modify the POST request to /login/oauth2/code/ during an OAuth sign-in flow.
  • inputThe target victim must have an existing account on the same ThingsBoard instance.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.