Skip to main content

Pocket ID CVE-2026-43983

| EUVDEUVD-2026-29482 HIGH
Improper Authorization (CWE-285)
2026-05-12 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
May 12, 2026 - 16:02 EUVD
Analysis Generated
May 12, 2026 - 15:31 vuln.today
CVSS changed
May 12, 2026 - 15:22 NVD
8.5 (HIGH)
CVE Published
May 12, 2026 - 14:19 nvd
HIGH 8.5

DescriptionGitHub Advisory

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.

AnalysisAI

Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.

Technical ContextAI

Pocket ID implements OpenID Connect (OIDC) authentication using passkeys. The vulnerability resides in the createTokenFromRefreshToken function within oidc_service.go, which performs cryptographic validation of the refresh token's signature but omits authorization state checks. OAuth 2.0 and OIDC refresh token flows should verify current user status, group membership, and client authorization before issuing new access tokens. This is a CWE-285 (Improper Authorization) implementation flaw where cryptographic validity is conflated with authorization validity. The CPE cpe:2.3:a:pocket-id:pocket-id indicates this affects the core Pocket ID authentication service, not a specific client integration.

RemediationAI

Upgrade Pocket ID to version 2.6.0 immediately, which includes authorization state validation in the refresh token exchange flow. The patched version re-checks user account status, client authorization, and group membership before issuing new access tokens. Upgrade path documented in GitHub security advisory GHSA-w6p7-2fxx-4f44 (https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44). For environments unable to upgrade immediately, implement compensating controls: (1) Reduce refresh token lifetime to minimum operationally acceptable duration via OIDC configuration - trades security for user re-authentication frequency and potential service disruption during token expiry; (2) Monitor and revoke ALL refresh tokens when revoking user access or disabling accounts - requires manual operational process and does not prevent exploitation window between revocation and token expiry; (3) Implement application-layer authorization checks that verify user status independently of Pocket ID tokens - adds latency and duplicates authorization logic but provides defense in depth. Note that refresh token revocation alone is insufficient per the vulnerability description, requiring forced token expiration or user re-authentication.

Share

CVE-2026-43983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy