CVE-2026-28512 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validat…
High CVSS: 7.1

CVE-2026-28512

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
Vendor
Pocket-id
Product
Pocket Id
CWE
CWE-601
Yayın Tarihi
2026-03-10 17:38:50
Güncelleme
2026-03-13 16:12:14
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-601 Pocket Id HIGH Pocket-id 2026

Referanslar

https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8 https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff