CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2	Exploit Vendor Advisory
https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pocket-id:pocket_id:*:*:*:*:*:*:*:*

History

13 Mar 2026, 15:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:pocket-id:pocket_id::::::::
References	~~() https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2 -~~	() https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2 - Exploit, Vendor Advisory
First Time		Pocket-id pocket Id Pocket-id
Summary		(es) Pocket ID es un proveedor OIDC que permite a los usuarios autenticarse con sus passkeys en sus servicios. Antes de la 2.4.0, el endpoint de token OIDC rechaza un código de autorización solo cuando tanto el ID del cliente es incorrecto como el código ha expirado. Esto permite el intercambio de código entre clientes y la reutilización de códigos expirados. Esta vulnerabilidad se ha corregido en la 2.4.0.

10 Mar 2026, 18:18

Type	Values Removed	Values Added
References	~~() https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2 -~~	() https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2 -

10 Mar 2026, 17:38

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 17:38

Updated : 2026-03-13 15:52

NVD link : CVE-2026-28513

Mitre link : CVE-2026-28513

CVE.ORG link : CVE-2026-28513

JSON object : View

Products Affected

pocket-id

pocket_id

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-28513", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-10T17:38:50.303", "references": [{"url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0."}, {"lang": "es", "value": "Pocket ID es un proveedor OIDC que permite a los usuarios autenticarse con sus passkeys en sus servicios. Antes de la 2.4.0, el endpoint de token OIDC rechaza un c\u00f3digo de autorizaci\u00f3n solo cuando tanto el ID del cliente es incorrecto como el c\u00f3digo ha expirado. Esto permite el intercambio de c\u00f3digo entre clientes y la reutilizaci\u00f3n de c\u00f3digos expirados. Esta vulnerabilidad se ha corregido en la 2.4.0."}], "lastModified": "2026-03-13T15:52:56.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pocket-id:pocket_id:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08E85575-4AB8-455C-837E-57B0052B5C3E", "versionEndExcluding": "2.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}