Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.
AnalysisAI
Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.
Technical ContextAI
Pocket ID implements OpenID Connect (OIDC) authentication using passkeys. The vulnerability resides in the createTokenFromRefreshToken function within oidc_service.go, which performs cryptographic validation of the refresh token's signature but omits authorization state checks. OAuth 2.0 and OIDC refresh token flows should verify current user status, group membership, and client authorization before issuing new access tokens. This is a CWE-285 (Improper Authorization) implementation flaw where cryptographic validity is conflated with authorization validity. The CPE cpe:2.3:a:pocket-id:pocket-id indicates this affects the core Pocket ID authentication service, not a specific client integration.
RemediationAI
Upgrade Pocket ID to version 2.6.0 immediately, which includes authorization state validation in the refresh token exchange flow. The patched version re-checks user account status, client authorization, and group membership before issuing new access tokens. Upgrade path documented in GitHub security advisory GHSA-w6p7-2fxx-4f44 (https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44). For environments unable to upgrade immediately, implement compensating controls: (1) Reduce refresh token lifetime to minimum operationally acceptable duration via OIDC configuration - trades security for user re-authentication frequency and potential service disruption during token expiry; (2) Monitor and revoke ALL refresh tokens when revoking user access or disabling accounts - requires manual operational process and does not prevent exploitation window between revocation and token expiry; (3) Implement application-layer authorization checks that verify user status independently of Pocket ID tokens - adds latency and duplicates authorization logic but provides defense in depth. Note that refresh token revocation alone is insufficient per the vulnerability description, requiring forced token expiration or user re-authentication.
Pocket ID versions prior to 2.4.0 fail to properly validate authorization codes at the OIDC token endpoint, enabling att
Pocket ID versions 2.0.0 through 2.3.x suffer from improper callback URL validation that allows attackers to bypass redi
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29482