High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion
CVE-2026-28512
Description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pocket-id/pocket-id/backendGo | < 0.0.0-20260228130835-3a339e33191c | 0.0.0-20260228130835-3a339e33191c |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/pocket-id/pocket-id/backendpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260228130835-3a339e33191c+ 1 more
- (no CPE)range: < 0.0.0-20260228130835-3a339e33191c
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9h33-g3ww-mqffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28512ghsaADVISORY
- github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8ghsax_refsource_MISCWEB
- github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.