Cyber Resilience

CVE-2026-28512

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0002 4.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28512 is a high-severity Open Redirect (CWE-601) vulnerability in Pocket-Id Pocket Id. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Pocket ID, an OpenID Connect (OIDC) provider enabling passkey-based authentication for services, contains a vulnerability in versions 2.0.0 through 2.3.x designated as CVE-2026-28512. The flaw stems from improper callback URL validation, specifically allowing crafted redirect_uri parameters that include URL userinfo components (e.g., containing "@") to bypass legitimate callback pattern checks. This issue, mapped to CWE-601 (URL Redirection to Untrusted Site), carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

An attacker can exploit this vulnerability over the network with low complexity and no required privileges by tricking a user into interacting with a malicious authorization link, such as via phishing. Successful exploitation redirects the authorization code to an attacker-controlled host, enabling high confidentiality impact through potential theft of the code for further unauthorized access, alongside low integrity impact.

The vulnerability is addressed in Pocket ID version 2.4.0. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-9h33-g3ww-mqff) and the fixing commit (3a339e33191c31b68bf57db907f800d9de5ffbc8).

EU & UK References

Vulnerability details

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback…

more

pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Vuln in public-facing OIDC provider (improper redirect_uri validation) is directly exploitable over the network (T1190) via crafted malicious authorization links delivered by phishing to steal auth codes (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28513Same product: Pocket-Id Pocket Id
CVE-2026-7504Shared CWE-601
CVE-2026-29067Shared CWE-601
CVE-2026-6795Shared CWE-601
CVE-2025-23363Shared CWE-601
CVE-2019-25282Shared CWE-601
CVE-2026-23818Shared CWE-601
CVE-2025-50067Shared CWE-601
CVE-2025-24868Shared CWE-601
CVE-2026-0508Shared CWE-601

Affected Assets

pocket-id
pocket id
2.0.0 — 2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of redirect_uri input to reject crafted values containing userinfo (@) that bypass pattern checks.

prevent

Enforces approved information flows so the authorization code is only sent to registered callback hosts, blocking exfiltration to attacker-controlled URIs.

prevent

Enforces access decisions based on properly validated redirect targets before releasing the authorization code.

References