CVE-2026-43983

Name of the Vulnerable Software and Affected Versions Pocket ID versions prior to 2.6.0

Description The createTokenFromRefreshToken() function in oidc service.go validates the cryptographic integrity of refresh tokens but fails to re-verify the user's current authorization state before issuing new tokens. This flaw allows clients to refresh tokens indefinitely after authorization has been revoked, enables refresh tokens to remain functional after an account is disabled, and allows tokens to work even after a client is removed from a group.

Recommendations Update to version 2.6.0.