Home / Vulnerability Intelligence / CVE-2026-28513

CVE-2026-28513 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: March 11, 2026

Pocket ID - Authentication Bypass

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Pocket ID < 2.4.0 contains a broken authentication caused by improper validation of authorization code and client ID in the OIDC token endpoint, letting attackers perform cross-client code exchange and reuse expired codes, exploit requires crafted authorization requests.

Severity & Score

Severity: High

CVSS Score: 8.5

Impact

Attackers can reuse expired authorization codes and exchange codes across clients, potentially leading to unauthorized access.

Mitigation

Update to version 2.4.0 or later.

References

https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2

Related Resources

Details

CVE ID: CVE-2026-28513
Severity: High
CVSS Score: 8.5
Type: broken_authentication
Status: unconfirmed

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N