CVE-2026-28512 in Pocket ID
Summary
by MITRE • 03/10/2026
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/13/2026
This vulnerability exists within Pocket ID, an OpenID Connect provider that facilitates authentication using passkeys for service access. The flaw manifests in the callback URL validation mechanism that governs how authorization responses are directed back to client applications. The vulnerability specifically affects versions between 2.0.0 and prior to 2.4.0, creating a security gap that allows malicious actors to exploit the validation process through carefully crafted redirect_uri parameters containing URL userinfo components. The technical implementation of this flaw stems from insufficient sanitization of the redirect_uri parameter, particularly when it contains the @ symbol which represents userinfo in URL syntax. This userinfo component creates a parsing ambiguity that enables attackers to bypass legitimate callback pattern validation checks through crafted URLs that appear valid but redirect to attacker-controlled hosts. The vulnerability directly maps to CWE-601 which addresses URL redirect vulnerabilities and aligns with ATT&CK technique T1566.001 for credential access through phishing. The operational impact of this vulnerability is significant as it enables attackers to conduct open redirect attacks that can lead to credential theft or session hijacking. When users are tricked into clicking malicious authorization links, the authorization codes they receive can be redirected to attacker-controlled domains, potentially allowing unauthorized access to protected resources and services. The flaw represents a critical weakness in the OAuth 2.0 authorization flow implementation where the redirect_uri validation mechanism fails to properly handle all valid URL components, creating a bypass opportunity for malicious actors. Organizations using Pocket ID within this vulnerable version range face potential exposure to attacks where users might be redirected to phishing sites that can capture authentication tokens and subsequently compromise user accounts. The fix implemented in version 2.4.0 addresses this by strengthening the callback URL validation logic to properly sanitize and validate all URL components including userinfo sections. This mitigation approach aligns with industry best practices for preventing open redirect vulnerabilities and ensures that only explicitly allowed callback URLs can receive authorization responses. The vulnerability demonstrates the importance of comprehensive URL parsing and validation in authentication systems, particularly in OAuth 2.0 implementations where redirect_uri parameters are critical for security. Security teams should immediately upgrade to version 2.4.0 or later to remediate this vulnerability and ensure proper protection against open redirect attacks that could compromise user authentication and session management.