CVE-2026-28513
Published: 10 March 2026
Summary
CVE-2026-28513 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pocket-Id Pocket Id. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates verification of correct implementation and configuration of authorization servers like Pocket ID to enforce independent client ID and expiration validation, directly preventing cross-client code exchange and expired code reuse.
Enforces approved authorizations in OIDC token endpoints to bind authorization codes to specific client IDs, mitigating improper access enforcement that allows cross-client exchanges.
Requires validation of inputs to the token endpoint, ensuring client ID and code expiration are checked independently to reject invalid or expired authorization codes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public OIDC token endpoint enables direct exploitation of a network-accessible auth service (T1190) and illicit acquisition of application access tokens via cross-client code exchange (T1528).
NVD Description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is…
more
expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.
Deeper analysisAI
CVE-2026-28513 affects Pocket ID, an OpenID Connect (OIDC) provider that enables users to authenticate services using passkeys. In versions prior to 2.4.0, the OIDC token endpoint improperly validates authorization codes, rejecting them only when both the client ID is incorrect and the code is expired. This flaw enables cross-client authorization code exchange and reuse of expired codes, mapped to CWE-863 (Incorrect Authorization). The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact across a changed scope.
An attacker with low privileges, such as a legitimate but malicious OIDC client or authenticated user, can exploit this over the network without user interaction. By obtaining a valid authorization code from one client—through interception, social engineering, or other means—the attacker can exchange it at a different client ID to obtain access tokens. Similarly, expired codes can be reused before full expiration checks trigger alongside client ID mismatches. Successful exploitation grants high confidentiality access, potentially allowing token issuance for unauthorized clients and subsequent service impersonation or data exfiltration.
The GitHub security advisory (GHSA-qh6q-598w-w6m2) confirms the issue is resolved in Pocket ID version 2.4.0, where the token endpoint enforces proper validation of client ID and code expiration independently. Security practitioners should upgrade to 2.4.0 or later and review OIDC client configurations for code handling best practices.
Details
- CWE(s)