CVE
CVE-2026-28512
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion
Impact
A flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host.
Patches
Fixed in v2.3.1 (commit 3a339e33191c31b68bf57db907f800d9de5ffbc8).
The fix replaces delimiter-based callback matching with structured URL pattern matching and updates validation logic/tests.
Workarounds
- Reject callback URLs containing userinfo (
@) at reverse proxy / app policy level if feasible.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff, https://nvd.nist.gov/vuln/detail/CVE-2026-28512, https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8, https://github.com/pocket-id/pocket-id
Basic Information
Ecosystem
