32 matches found
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization due to insufficient validation in the createTokenFromRefreshToken function. An attacker can maintain access to resources by using a valid refresh token even after authorization has been revoked, the account has be...
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
CVE-2026-43983 Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
EUVD-2026-29482
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
CVE-2026-43983 Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
CVE-2026-43983
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...
PT-2026-40035
Name of the Vulnerable Software and Affected Versions Pocket ID versions prior to 2.6.0 Description The createTokenFromRefreshToken function in oidc service.go validates the cryptographic integrity of refresh tokens but fails to re-verify the user's current authorization state before issuing new...
Pocket ID 授权问题漏洞
Pocket ID is an open-source OIDC identity provider that supports no-password authentication. Versions of Pocket ID prior to 2.6.0 had an authorization vulnerability. This vulnerability stemmed from the createTokenFromRefreshToken function not revalidating the user’s current authorization status,...
CVE-2026-43983
creationtimestamp| type| source ---|---|--- 2026-04-26 17:45:52+00:00| published-proof-of-concept| https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44...
SUSE CVE-2026-28512
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...
SUSE CVE-2026-28513
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
GO-2026-4656 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend...
GO-2026-4653 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion in github.com/pocket-id/pocket-id/backend
Pocket ID: OAuth redirecturi validation bypass via userinfo/host confusion in github.com/pocket-id/pocket-id/backend...
CVE-2026-28513
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
CVE-2026-28512
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...
CVE-2026-28512
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...
Pocket ID 输入验证错误漏洞
Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID from 2.0.0 to 2.4.0 had a vulnerability related to input validation errors. This vulnerability stemmed from defects in the callback URL validation process, which could lead to the...
CVE-2026-28513
Pocket ID is an OIDC provider. Before version 2.4.0, the token endpoint could accept an authorization code that is expired when the client ID is correct, enabling cross-client code reuse and expired-code reuse. The issue is fixed in 2.4.0. No exploitation path details are provided beyond that, an...
CVE-2026-28513
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...