CVE-2026-28512

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28512

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28512.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28512

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-09T22:17:58.425Z

Modified

2026-04-02T13:22:22.140478Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Details

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28512.json"
}

References

Affected packages

Git / github.com/pocket-id/pocket-id

Affected ranges

Type: GIT
Repo: https://github.com/pocket-id/pocket-id
Events: Introduced

f5e2c68ba3f2fd7112d0e0334f41abdfce74e7d7

Fixed

b59e35cb59ae52b66b072639382d98812b268488

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.2.0

v2.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28512.json"