Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28512 is a high-severity vulnerability in the Pocket ID OIDC provider affecting versions 2.0.0 to before 2.4.0. The flaw lies in the improper validation of the redirect_uri parameter during OAuth authorization. Specifically, the validation logic fails to correctly handle URLs containing userinfo components (the part before the '@' symbol in URLs). This allows crafted redirect_uri values with embedded userinfo to bypass legitimate callback URL pattern checks."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by tricking a user into opening a malicious authorization link, causing the OAuth authorization code to be redirected to an attacker-controlled host. This bypasses intended security restrictions and can lead to unauthorized access or token interception.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 2.4.0 by replacing delimiter-based callback matching with structured URL pattern matching and updating the validation logic to properly handle userinfo in URLs.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant security impacts. If exploited, an attacker can redirect OAuth authorization codes to a host they control, potentially allowing unauthorized access to user accounts or sensitive data.

The CVSS v3.1 score rates this vulnerability as high severity (7.1) with a high confidentiality impact, meaning sensitive information could be exposed. The integrity impact is low, and there is no impact on availability.

Because the attack requires user interaction (opening a malicious link), social engineering or phishing techniques could be used to exploit this flaw.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves crafted redirect_uri values containing userinfo components (the '@' symbol) that bypass callback URL validation in Pocket ID versions 2.0.0 to before 2.4.0."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your network or system, monitor OAuth authorization requests for redirect_uri parameters that include userinfo (i.e., URLs containing '@'). Such URLs are suspicious and may indicate attempts to exploit this vulnerability."}, {'type': 'paragraph', 'content': "You can use network traffic inspection tools or log analysis to search for redirect_uri parameters containing '@'. For example, using command-line tools on logs or captured traffic:"}, {'type': 'list_item', 'content': "grep -r 'redirect_uri=.*@' /path/to/oauth/logs"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'redirect_uri=.*@'"}, {'type': 'list_item', 'content': "Use web server or reverse proxy logs to search for requests with redirect_uri parameters containing '@'."}, {'type': 'paragraph', 'content': 'These commands help identify authorization requests with potentially malicious redirect_uri values containing userinfo components.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The vulnerability is fixed in Pocket ID version 2.4.0. The immediate recommended step is to upgrade your Pocket ID installation to version 2.4.0 or later.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not feasible, a recommended workaround is to reject callback URLs containing userinfo components (i.e., URLs with '@') at the reverse proxy or application policy level."}, {'type': 'paragraph', 'content': "This can be implemented by configuring your reverse proxy or application firewall to block or sanitize any OAuth authorization requests where the redirect_uri parameter contains '@'."}, {'type': 'paragraph', 'content': 'These steps help prevent attackers from exploiting the improper callback URL validation to redirect authorization codes to attacker-controlled hosts.'}] [1]

Useful 0 Not Useful 0