CVE-2026-28513

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28513

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28513.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28513

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-09T22:19:30Z

Modified

2026-03-26T09:14:33.562339Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Details

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28513.json"
}

References

Affected packages

Git / github.com/pocket-id/pocket-id

Affected ranges

Type: GIT
Repo: https://github.com/pocket-id/pocket-id
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b59e35cb59ae52b66b072639382d98812b268488

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.2.0

v0.2.1

v0.20.0

v0.20.1

v0.21.0

v0.22.0

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.26.0

v0.27.0

v0.27.1

v0.27.2

v0.28.0

v0.28.1

v0.29.0

v0.3.0

v0.3.1

v0.30.0

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.35.1

v0.35.2

v0.35.3

v0.35.4

v0.35.5

v0.35.6

v0.36.0

v0.37.0

v0.38.0

v0.39.0

v0.4.0

v0.4.1

v0.40.0

v0.40.1

v0.41.0

v0.42.0

v0.42.1

v0.43.0

v0.43.1

v0.44.0

v0.45.0

v0.46.0

v0.47.0

v0.48.0

v0.49.0

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.50.0

v0.51.0

v0.51.1

v0.52.0

v0.53.0

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.11.1

v1.11.2

v1.12.0

v1.13.0

v1.13.1

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.2.0

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.5.0

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.2.0

v2.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28513.json"