CVE-2026-28512
HIGH
GHSA-9h33-g3ww-mqff
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Tags
Description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
Analysis
Pocket ID versions 2.0.0 through 2.3.x suffer from improper callback URL validation that allows attackers to bypass redirect URI restrictions using URL userinfo characters (@), enabling authorization code interception. An attacker can craft a malicious authorization link to redirect authentication codes to an attacker-controlled server if a user is tricked into clicking it. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Pocket ID versions 2.0.0-2.4.0 and assess usage context (which applications/users depend on it). Within 7 days: Implement WAF rules to block suspicious redirect parameters and monitor authentication logs for suspicious redirects; communicate risk status to affected user base. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today