Weakness in Pocket ID's Token Management in Version Prior to 2.6.0
CVE-2026-43983

8.5HIGH

Key Information:

Vendor: Pocket-id
Status: Pocket-id
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-43983?

The Pocket ID OIDC provider suffers from a vulnerability in its refresh token management system prior to version 2.6.0. The createTokenFromRefreshToken function fails to re-validate the user's current authorization state when issuing new tokens. This oversight allows clients to refresh tokens even after their authorization has been revoked, and permits the refresh token to remain valid after an account has been disabled or the client has been removed from its associated group. Addressing this vulnerability, version 2.6.0 introduces necessary checks to ensure that tokens are only issued when valid authorization exists.

Affected Version(s)

pocket-id < 2.6.0

References

https://github.com/pocket-id/pocket-id/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43983 Data

JSON

Pocket-id

What is CVE-2026-43983?

Affected Version(s)

References

CVSS V4

Timeline