CVE-2026-28513

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Description

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.

INFO

Published Date :

2026-03-09T22:19:30.000Z

Last Modified :

2026-03-10T14:32:17.637Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-28513 vulnerability.

Vendors	Products
Pocket-id	Pocket-id Pocket Id

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28513.

URL	Resource
https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact