Cross-Client Code Exchange and Expired Code Reuse in Pocket ID OIDC Provider
CVE-2026-28513

8.5HIGH

Key Information:

Vendor: Pocket-id
Status: Pocket-id
Vendor: CVE Published:; 9 March 2026

What is CVE-2026-28513?

Pocket ID, an OpenID Connect (OIDC) provider, experienced a security issue prior to version 2.4.0. An authorization code could be rejected only when both the client ID is incorrect and the code is expired. This inadequate validation leads to potential cross-client code exchanges and allows the reuse of expired authorization codes. The vulnerability has been addressed in version 2.4.0, which strengthens code validation and enhances the security of user authentication.

Affected Version(s)

pocket-id < 2.4.0

References

https://github.com/pocket-id/pocket-id/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Feb 27, 2026

CVE-2026-28513 Data

JSON

Pocket-id

What is CVE-2026-28513?

Affected Version(s)

References

CVSS V3.1

Timeline