CVE-2026-28512

Name of the Vulnerable Software and Affected Versions Pocket ID versions 2.0.0 through 2.4.0

Description A flaw in callback URL validation allowed crafted redirect uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This issue affects an OpenID Connect (OIDC) provider, allowing users to authenticate with passkeys.

Recommendations Update to version 2.4.0 or later. As a workaround, reject callback URLs containing userinfo (@) at the reverse proxy or application policy level if feasible.