CVE-2026-28513

Name of the Vulnerable Software and Affected Versions Pocket ID versions prior to 2.4.0

Description Pocket ID is an OIDC provider susceptible to cross-client code exchange and expired code reuse. The OIDC token endpoint incorrectly validates authorization codes, only rejecting them when both the client ID is incorrect and the code is expired. This flaw allows an attacker to exchange authorization codes issued for one client with another client's credentials, potentially obtaining tokens for users who have not authorized the malicious client. Expired authorization codes can also be reused until a cleanup process runs. The issue resides in the backend/internal/service/oidc service.go file, specifically at line 407, where a logical AND (&&) should be a logical OR (||) in the authorization code validation logic. The vulnerable code is: if authorizationCodeMetaData.ClientID != input.ClientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()). An attacker can exploit this by using a valid authorization code intended for one client with the client ID of another client to obtain access tokens. The API endpoint involved is /api/oidc/token, utilizing the grant type parameter set to authorization code, the code parameter containing the authorization code, and the client id and client secret parameters for client authentication.

Recommendations Versions prior to 2.4.0 should be updated to version 2.4.0 or later.