VDB

CVE-2026-28512

CVE-2026-28512 PUBLISHED CVSS 7.099999904632568 HIGH

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

EPSS 0.02% · 4.4th percentile

Risk Scores

CVSS v3.1
7.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score
0.02%
4.4th percentile

Affected Products

VendorProductVersions
pocket-idpocket_id2.0.0, 2.0.0
pocket-idpocket-id>= 2.0.0, < 2.4.0, >= 2.0.0, < 2.4.0
github.compocket-id/pocket-id/backend0, 0

Timeline

  • Mar 9, 2026 CVE Published
  • Mar 10, 2026 CVE Updated
  • Mar 10, 2026 EPSS Score
  • Mar 11, 2026 EPSS Score
  • Mar 12, 2026 EPSS Score
  • Mar 13, 2026 EPSS Score
  • Mar 14, 2026 EPSS Score
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 17, 2026 Coalition ESS Score
  • Mar 18, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›