TYPO3 Core

In TYPO3\CMS\Core\Authentication\AbstractUserAuthentication, line 919 reads (as of current main):

if ($this->checkPid && $this->checkPid_value !== null) {

As $this->checkPid_value may be a string it may be empty, which is not checked. In that case TYPO3\CMS\Core\Authentication\AbstractAuthenticationService->fetchUserRecord() will end up with a corrupt SQL query containing a restriction like ... AND pid in ()...

So, I'd like to suggest to check for an empty string, as well.

if ($this->checkPid && $this->checkPid_value !== null && $this->checkPid_value !== '') {