CVE-2026-28512
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-03-10
CWE-601
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| pocket-id | pocket_id | 2.0.0 - 2.4.0 |
References
- github.com (Patch)
- github.com (Mitigation, Patch, Vendor Advisory)