Which versions of Pocket ID are affected by CVE-2026-43983?

Pocket ID OIDC provider versions before 2.6.0 contain a critical authorization bypass in refresh token handling that allows revoked or disabled users to maintain indefinite access to protected…. A patch is available.

Is there a public PoC exploit available for CVE-2026-43983?

Yes, a public proof-of-concept exploit is available for CVE-2026-43983. Prioritise patching immediately. EPSS: 0.0%.

Pocket ID CVE-2026-43983

Q: What is the CVSS score of CVE-2026-43983?

CVE-2026-43983 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-29482 HIGH

Improper Authorization (CWE-285)

2026-05-12 GitHub_M

Authentication Bypass

8.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Patch available

May 12, 2026 - 16:02 EUVD

Analysis Generated

May 12, 2026 - 15:31 vuln.today

CVSS changed

May 12, 2026 - 15:22 NVD

8.5 (HIGH)

CVE Published

May 12, 2026 - 14:19 nvd

HIGH 8.5

DescriptionNVD

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.

AnalysisAI

Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. …

RemediationAI

Within 24 hours: Inventory all Pocket ID OIDC provider deployments and document current versions; alert security and application teams of the authorization bypass risk. Within 7 days: Upgrade all Pocket ID instances to version 2.6.0 or later; coordinate with dependent applications to validate token validation post-upgrade. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43983 vulnerability details – vuln.today

Back

Pocket ID CVE-2026-43983

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Pocket ID CVE-2026-43983

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code