CVE-2026-28512
📋 TL;DR
CVE-2026-28512 is an OpenID Connect callback URL validation bypass in Pocket ID versions 2.0.0 through 2.3.x. Attackers can craft malicious authorization links containing URL userinfo (@) to redirect authorization codes to attacker-controlled hosts. This affects all services using vulnerable Pocket ID OIDC provider versions for authentication.
💻 Affected Systems
- Pocket ID OIDC Provider
📦 What is this software?
Pocket Id by Pocket Id
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal valid authorization codes and potentially obtain user authentication tokens, leading to account compromise and unauthorized access to connected services.
Likely Case
Attackers redirect authorization codes to their servers, enabling session hijacking or account takeover for users who click malicious links.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated authentication events with detectable anomalous redirects.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but uses simple URL manipulation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0
Vendor Advisory: https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Pocket ID to version 2.4.0 or later. 3. Restart the Pocket ID service. 4. Verify callback URL validation is functioning correctly.
🔧 Temporary Workarounds
Strict Redirect URI Validation
allImplement additional server-side validation of redirect_uri parameters against a strict allowlist.
Network Restriction
allRestrict outbound connections from authentication servers to only trusted callback domains.
🧯 If You Can't Patch
- Implement WAF rules to block redirect_uri parameters containing '@' symbols or unexpected userinfo components.
- Monitor authentication logs for unusual redirect patterns or callback URLs to non-approved domains.
🔍 How to Verify
Check if Vulnerable:
Check Pocket ID version: if between 2.0.0 and 2.3.x, system is vulnerable. Test with crafted redirect_uri containing '@' to see if validation bypass occurs.Check Version:
pocket-id --version or check package manager (apt list pocket-id, yum list pocket-id, etc.)Verify Fix Applied:
After updating to 2.4.0+, attempt to use redirect_uri with '@' - should be rejected with proper validation error.📡 Detection & Monitoring
Log Indicators:
- Authentication logs showing redirect_uri values containing '@' symbols
- Callback requests to unexpected domains
- Failed authorization attempts with malformed URIs
Network Indicators:
- Outbound HTTP/HTTPS connections from authentication servers to unknown domains during OIDC flow
- Unusual redirect patterns in authentication traffic
SIEM Query:
source="pocket-id" AND (redirect_uri="*@*" OR uri="*@*")