CVE-2026-43983

Source
https://cve.org/CVERecord?id=CVE-2026-43983
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43983.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43983
Aliases
  • GHSA-w6p7-2fxx-4f44
Published
2026-05-12T14:19:01.166Z
Modified
2026-07-08T08:13:29.971196026Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions
Details

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-285",
        "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43983.json"
}
References

Affected packages

Git / github.com/pocket-id/pocket-id

Affected ranges

Type
GIT
Repo
https://github.com/pocket-id/pocket-id
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.0"
        }
    ],
    "cpe": "cpe:2.3:a:pocket-id:pocket_id:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.13.1
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.2.1
v0.20.0
v0.20.1
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.26.0
v0.27.0
v0.27.1
v0.27.2
v0.28.0
v0.28.1
v0.29.0
v0.3.0
v0.3.1
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.35.1
v0.35.2
v0.35.3
v0.35.4
v0.35.5
v0.35.6
v0.36.0
v0.37.0
v0.38.0
v0.39.0
v0.4.0
v0.4.1
v0.40.0
v0.40.1
v0.41.0
v0.42.0
v0.42.1
v0.43.0
v0.43.1
v0.44.0
v0.45.0
v0.46.0
v0.47.0
v0.48.0
v0.49.0
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.50.0
v0.51.0
v0.51.1
v0.52.0
v0.53.0
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43983.json"