Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

Pocket ID: Malicious Redirects Possible with Invalid Callback URLs

GHSA-9h33-g3ww-mqff CVE-2026-28512 GHSA-9h33-g3ww-mqff
Summary

Pocket ID's authentication service is affected. Attackers can trick users into visiting malicious links, allowing them to intercept sensitive information. Update to version 2.4.0 or later to fix this issue.

What to do
  • Update github.com pocket-id to version 0.0.0-20260228130835-3a339e33191c.
  • Update pocket-id github.com/pocket-id/pocket-id/backend to version 0.0.0-20260228130835-3a339e33191c.
Affected software
VendorProductAffected versionsFix available
github.com pocket-id <= 0.0.0-20260228130835-3a339e33191c 0.0.0-20260228130835-3a339e33191c
pocket-id github.com/pocket-id/pocket-id/backend <= 0.0.0-20260228130835-3a339e33191c 0.0.0-20260228130835-3a339e33191c
pocket-id pocket_id > 2.0.0 , <= 2.4.0 –
Original title
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri valu...
Original description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.
ghsa CVSS3.1 7.1
Vulnerability type
CWE-601 Open Redirect
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026