SUSE CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

CVE-2026-32132 ZITADEL: Reactivation of Expired Passkey Registration Codes

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow ...

CVE-2026-28513

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

EUVD-2026-10409

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

GHSA-QH6Q-598W-W6M2 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...

Red Hat Keycloak 安全漏洞

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A security vulnerability exists in Red Hat Keycloak that stems from an expired OTP code remaining available when using FreeOTP when the OTP tok...

Privilege Escalation

github.com/google/exposure-notifications-verification-server is vulnerable to privilege escalation. The vulnerability exists due to insufficient granularity of access control which allows an attacker, who has permission to the access code and is able to guess the UUID, to have access to expired...