CVE-2026-28513 in Pocket ID
Summary
by MITRE • 03/10/2026
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
The vulnerability identified as CVE-2026-28513 affects Pocket ID, an OpenID Connect provider that facilitates authentication using passkeys. This security flaw resides in the token endpoint's validation logic and represents a significant authorization bypass issue that undermines the integrity of the OpenID Connect authentication flow. The vulnerability specifically impacts versions prior to 2.4.0, where the system's token endpoint implementation contains a critical flaw in its authorization code validation mechanism.
The technical flaw manifests in the token endpoint's conditional validation logic where it only rejects an authorization code when both conditions are met simultaneously: an incorrect client ID and an expired code. This design creates a dangerous gap in the authentication process where the system fails to properly validate the relationship between client identifiers and authorization codes. The improper validation allows malicious actors to exploit cross-client code exchange capabilities, enabling them to reuse authorization codes across different client applications even when those codes have expired.
This vulnerability directly maps to CWE-285: Improper Authorization and aligns with ATT&CK technique T1078.004: Valid Accounts, specifically targeting credential validation mechanisms within identity providers. The flaw enables unauthorized access patterns where an attacker could potentially leverage a valid authorization code from one client application to gain access to resources belonging to a different client, effectively bypassing the intended client isolation that OpenID Connect is designed to provide. The operational impact extends beyond simple unauthorized access to include potential data leakage, privilege escalation, and unauthorized service consumption across multiple client applications within the same Pocket ID deployment.
The security implications of this vulnerability are particularly severe in multi-tenant environments where multiple client applications share the same identity provider infrastructure. Attackers could exploit this flaw to gain access to services they should not be authorized to use, potentially compromising sensitive data and system resources. The fix implemented in version 2.4.0 addresses this by correcting the token endpoint validation logic to properly enforce client code binding regardless of code expiration status. Organizations should immediately upgrade to version 2.4.0 or later to mitigate this risk, while also implementing monitoring for unauthorized cross-client code usage patterns. Security teams should conduct thorough assessments of existing authorization code usage patterns and consider implementing additional controls such as code binding verification and enhanced logging to detect potential exploitation attempts.