Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Older Pocket ID versions allow unwanted access to services
GHSA-qh6q-598w-w6m2
CVE-2026-28513
GHSA-qh6q-598w-w6m2
Summary
Older versions of the Pocket ID authentication service may let some users access your service even if they shouldn't. This is because the service doesn't correctly check user codes, which could lead to unauthorized access. Update to the latest version of Pocket ID to fix this issue.
What to do
- Update github.com pocket-id to version 0.0.0-20260307173642-b59e35cb59ae.
- Update pocket-id github.com/pocket-id/pocket-id/backend to version 0.0.0-20260307173642-b59e35cb59ae.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | pocket-id | <= 0.0.0-20260307173642-b59e35cb59ae | 0.0.0-20260307173642-b59e35cb59ae |
| pocket-id | github.com/pocket-id/pocket-id/backend | <= 0.0.0-20260307173642-b59e35cb59ae | 0.0.0-20260307173642-b59e35cb59ae |
| pocket-id | pocket_id | <= 2.4.0 | – |
Original title
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client...
Original description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.
ghsa CVSS3.1
8.5
Vulnerability type
CWE-863
Incorrect Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026