Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Mon, 09 Mar 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0. | |
| Title | Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion | |
| Weaknesses | CWE-601 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-03-09T22:17:58.425Z
Reserved: 2026-02-27T20:57:47.710Z
Link: CVE-2026-28512
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.