CVE-2026-28513 — Vulnetix

CVE-2026-28513 PUBLISHED CVSS 8.5 HIGH

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.

EPSS 0.02% · 4.0th percentile

Risk Scores

CVSS v3.1

8.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score

0.02%

4.0th percentile

Affected Products

Vendor	Product	Versions
pocket-id	pocket-id	,
pocket-id	pocket_id	0, 0
github.com	pocket-id/pocket-id/backend	0, 0

Timeline

Mar 9, 2026 CVE Published
Mar 10, 2026 CVE Updated
Mar 10, 2026 EPSS Score
Mar 11, 2026 EPSS Score
Mar 12, 2026 EPSS Score
Mar 13, 2026 EPSS Score
Mar 14, 2026 EPSS Score
Mar 15, 2026 EPSS Score
Mar 16, 2026 EPSS Score
Mar 17, 2026 EPSS Score
Mar 17, 2026 Coalition ESS Score
Mar 17, 2026 Security Advisory

References

https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2 url
https://nvd.nist.gov/vuln/detail/CVE-2026-28513 advisory
https://github.com/pocket-id/pocket-id package

Open in Interactive Console →