Description

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

INFO

Published Date :

2026-03-09T22:17:58.425Z

Last Modified :

2026-03-10T14:32:52.265Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28512 vulnerability.

Vendors Products
Pocket-id
  • Pocket-id
  • Pocket Id
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28512.

URL Resource
https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8 cve-icon cve-icon
https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact