CVE-2026-28512
Open Redirect in Pocket ID OIDC Callback URL Validation
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pocket-id | pocket_id | From 2.0.0 (inc) to 2.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-28512 is a high-severity vulnerability in the Pocket ID OIDC provider affecting versions 2.0.0 to before 2.4.0. The flaw lies in the improper validation of the redirect_uri parameter during OAuth authorization. Specifically, the validation logic fails to correctly handle URLs containing userinfo components (the part before the '@' symbol in URLs). This allows crafted redirect_uri values with embedded userinfo to bypass legitimate callback URL pattern checks."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by tricking a user into opening a malicious authorization link, causing the OAuth authorization code to be redirected to an attacker-controlled host. This bypasses intended security restrictions and can lead to unauthorized access or token interception.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 2.4.0 by replacing delimiter-based callback matching with structured URL pattern matching and updating the validation logic to properly handle userinfo in URLs.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have significant security impacts. If exploited, an attacker can redirect OAuth authorization codes to a host they control, potentially allowing unauthorized access to user accounts or sensitive data.
The CVSS v3.1 score rates this vulnerability as high severity (7.1) with a high confidentiality impact, meaning sensitive information could be exposed. The integrity impact is low, and there is no impact on availability.
Because the attack requires user interaction (opening a malicious link), social engineering or phishing techniques could be used to exploit this flaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves crafted redirect_uri values containing userinfo components (the '@' symbol) that bypass callback URL validation in Pocket ID versions 2.0.0 to before 2.4.0."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your network or system, monitor OAuth authorization requests for redirect_uri parameters that include userinfo (i.e., URLs containing '@'). Such URLs are suspicious and may indicate attempts to exploit this vulnerability."}, {'type': 'paragraph', 'content': "You can use network traffic inspection tools or log analysis to search for redirect_uri parameters containing '@'. For example, using command-line tools on logs or captured traffic:"}, {'type': 'list_item', 'content': "grep -r 'redirect_uri=.*@' /path/to/oauth/logs"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'redirect_uri=.*@'"}, {'type': 'list_item', 'content': "Use web server or reverse proxy logs to search for requests with redirect_uri parameters containing '@'."}, {'type': 'paragraph', 'content': 'These commands help identify authorization requests with potentially malicious redirect_uri values containing userinfo components.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The vulnerability is fixed in Pocket ID version 2.4.0. The immediate recommended step is to upgrade your Pocket ID installation to version 2.4.0 or later.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not feasible, a recommended workaround is to reject callback URLs containing userinfo components (i.e., URLs with '@') at the reverse proxy or application policy level."}, {'type': 'paragraph', 'content': "This can be implemented by configuring your reverse proxy or application firewall to block or sanitize any OAuth authorization requests where the redirect_uri parameter contains '@'."}, {'type': 'paragraph', 'content': 'These steps help prevent attackers from exploiting the improper callback URL validation to redirect authorization codes to attacker-controlled hosts.'}] [1]