CVE-2026-28513 Overview
CVE-2026-28513 is an authorization bypass vulnerability in Pocket ID, an OpenID Connect (OIDC) provider that enables users to authenticate with passkeys. Prior to version 2.4.0, the OIDC token endpoint contains a critical flaw in its authorization code validation logic that allows attackers to exploit cross-client code exchange and expired code reuse.
Critical Impact
This vulnerability enables attackers to bypass authorization controls by exchanging authorization codes across different clients or reusing expired codes, potentially leading to unauthorized access to protected services and confidential user data.
Affected Products
- Pocket ID versions prior to 2.4.0
- OIDC-integrated services relying on vulnerable Pocket ID instances
- Applications using Pocket ID for passkey-based authentication
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-28513 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-28513
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the OIDC token endpoint fails to properly validate authorization codes. The flawed validation logic only rejects an authorization code when both conditions are met simultaneously: the client ID is incorrect AND the code has expired. This creates a dangerous authentication bypass scenario.
In a properly implemented OIDC flow, the authorization code should be validated against the specific client that initiated the authorization request. Additionally, expired codes should be rejected regardless of the client ID. The vulnerability in Pocket ID allows two distinct attack scenarios: an attacker can use a valid authorization code obtained for one client (Client A) to request tokens for a different client (Client B), and expired authorization codes can be reused if the client ID matches the original request.
Root Cause
The root cause stems from improper conditional logic in the token endpoint's authorization code validation routine. Instead of independently verifying the client ID match AND the code expiration status, the implementation uses a combined conditional check that only fails when both conditions are violated. This means valid client ID + expired code = accepted, and invalid client ID + valid code = accepted.
Attack Vector
The attack is network-based and requires low privileges (authenticated user context). An attacker who obtains or intercepts an authorization code can exploit this vulnerability to:
Cross-Client Token Exchange: Capture an authorization code issued to a legitimate client and exchange it at the token endpoint using a different client's credentials to obtain tokens for unauthorized access.
Expired Code Reuse: Replay previously captured authorization codes that should have expired, as long as the correct client ID is provided in the token request.
The vulnerability affects confidentiality significantly, with some impact to integrity, as attackers can potentially access protected resources and user data intended for other clients or sessions. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-28513
Indicators of Compromise
- Unusual token exchange requests where the authorization code was issued to a different client than the one requesting tokens
- Token endpoint requests using authorization codes well past their expected expiration window
- Multiple successful token exchanges using the same authorization code across different client IDs
- Authentication logs showing discrepancies between the original authorization request client and token exchange client
Detection Strategies
- Monitor OIDC token endpoint logs for authorization codes being exchanged by clients different from the original issuing client
- Implement alerting for successful token exchanges where the code age exceeds the configured expiration threshold
- Cross-reference authorization request logs with token exchange logs to identify client ID mismatches
- Audit authentication patterns for anomalous replay attempts or cross-client activity
Monitoring Recommendations
- Enable detailed logging for all OIDC token endpoint transactions including client ID, code issuance time, and exchange time
- Implement real-time monitoring for authorization code reuse patterns
- Set up alerts for authentication anomalies that may indicate exploitation attempts
- Review access logs for services integrated with Pocket ID for unauthorized access patterns
How to Mitigate CVE-2026-28513
Immediate Actions Required
- Upgrade Pocket ID to version 2.4.0 or later immediately
- Audit recent authentication logs for potential exploitation indicators
- Review access to sensitive resources that may have been compromised through this vulnerability
- Rotate client secrets for all OIDC clients registered with the affected Pocket ID instance
Patch Information
The vulnerability is fixed in Pocket ID version 2.4.0. The patch corrects the authorization code validation logic to independently verify both the client ID match and code expiration status. Organizations should update to this version as soon as possible. Additional details can be found in the GitHub Security Advisory.
Workarounds
- Reduce authorization code lifetime to minimize the window of opportunity for code reuse attacks
- Implement additional application-layer validation of authorization codes before accepting tokens
- Monitor and rate-limit token exchange requests to detect and mitigate potential exploitation attempts
- Consider implementing network-level restrictions to limit token endpoint access to known, trusted client IP ranges
# Configuration example - Reduce authorization code lifetime
# In your Pocket ID configuration file, set a shorter code expiration:
OIDC_AUTHORIZATION_CODE_LIFETIME=30
# Note: Upgrade to version 2.4.0 is the recommended solution
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
