VYPR
High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

CVE-2026-28512

Description

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/pocket-id/pocket-id/backendGo
< 0.0.0-20260228130835-3a339e33191c0.0.0-20260228130835-3a339e33191c

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.