{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28512", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T20:57:47.710Z", "datePublished": "2026-03-09T22:17:58.425Z", "dateUpdated": "2026-03-10T14:32:52.265Z"}, "containers": {"cna": {"title": "Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff"}, {"name": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8", "tags": ["x_refsource_MISC"], "url": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8"}], "affected": [{"vendor": "pocket-id", "product": "pocket-id", "versions": [{"version": ">= 2.0.0, < 2.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:17:58.425Z"}, "descriptions": [{"lang": "en", "value": "Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0."}], "source": {"advisory": "GHSA-9h33-g3ww-mqff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:32:45.368003Z", "id": "CVE-2026-28512", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:32:52.265Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:32:45.368003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:32:48.891Z"}}], "cna": {"title": "Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion", "source": {"advisory": "GHSA-9h33-g3ww-mqff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pocket-id", "product": "pocket-id", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.4.0"}]}], "references": [{"url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff", "name": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8", "name": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:17:58.425Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28512", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:32:52.265Z", "dateReserved": "2026-02-27T20:57:47.710Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:17:58.425Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pocket-id:pocket_id:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0499052-79D0-4301-AB0E-4ABF8299027C", "versionEndExcluding": "2.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0."}, {"lang": "es", "value": "Pocket ID es un proveedor OIDC que permite a los usuarios autenticarse con sus passkeys en sus servicios. Desde la versi\u00f3n 2.0.0 hasta antes de la 2.4.0, un fallo en la validaci\u00f3n de la URL de callback permiti\u00f3 que valores de redirect_uri manipulados que conten\u00edan informaci\u00f3n de usuario de URL (@) eludieran las comprobaciones leg\u00edtimas del patr\u00f3n de callback. Si un atacante puede enga\u00f1ar a un usuario para que abra un enlace de autorizaci\u00f3n malicioso, el c\u00f3digo de autorizaci\u00f3n podr\u00eda ser redirigido a un host controlado por el atacante. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.4.0."}], "id": "CVE-2026-28512", "lastModified": "2026-03-13T16:12:14.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T17:38:50.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "pocket-id", "source": "cna", "vendor": "pocket-id"}, "product": "pocket-id", "vendor": "pocket-id"}], "analysis": {"en": {"generated_at": "2026-04-17T11:48:59.418164+00:00", "value": {"mitigation_remediation": ["Upgrade Pocket ID to version\u202f2.4.0 or later to apply the official fix.", "Audit all registered redirect_uri values to ensure they do not contain an @ symbol in the host part or other userinfo components.", "Implement custom validation in your authorization flow that strictly matches the host against an approved whitelist and rejects any URI that includes userinfo or other disallowed patterns."], "summary": {"action": "Immediate Patch", "impact": "Credential Theft via Authorization Code Interception"}, "threat_synthesis": {"affected_systems": "Pocket ID versions 2.0.0 through 2.3.x are affected. Users deploying these versions should verify if they are running any of those releases and plan an upgrade to 2.4.0 or later where the validation bug has been fixed.", "description_and_impact": "A flaw in Pocket ID\u2019s callback URL validation allowed redirect_uri values that include an @ symbol in the host component to bypass legitimate callback pattern checks. An attacker can craft a malicious authorization link that, when clicked by a user, sends the resulting authorization code to an attacker\u2011controlled host instead of the intended client. This can enable the attacker to obtain the authorization code and subsequently exchange it for tokens, effectively compromising user credentials and granting unauthorized access to protected resources. The weakness lies in improper input validation of redirect URIs (CWE\u2011601).", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.1, indicating high severity. The EPSS score is below 1%, suggesting a low probability of real\u2011world exploitation at present. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to entice a user to click a crafted OAuth request; if successful, the authorization code can be captured and misused. No other conditions are required. The attacker\u2019s path hinges on user interaction with the malicious link and the business logic that accepts the redirect_uri without proper checks."}}}}, "created": "2026-03-10T14:06:38.963395+00:00", "updated": "2026-04-17T12:00:11.742922+00:00", "vendors": ["pocket-id", "pocket-id$PRODUCT$pocket-id"]}