Executive Summary

CVE-2026-28513 is a high-severity vulnerability in the OpenID Connect (OIDC) token endpoint of Pocket ID versions up to 2.3.0. The issue arises because the token endpoint only rejects an authorization code when both the client ID is incorrect and the code is expired, using a logical AND condition instead of OR. This flawed validation allows two main problems: unauthorized cross-client token exchange and reuse of expired authorization codes.

• Cross-Client Token Exchange: An attacker can exchange an authorization code issued for one OIDC client using the credentials of a different client, obtaining access tokens for users who never authorized that client.
• Expired Code Reuse: Expired authorization codes can be reused with the correct client until a 24-hour cleanup job removes them, allowing token issuance beyond intended validity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to user tokens by allowing attackers to obtain access tokens for clients they are not authorized to use. This compromises the confidentiality of user data and authentication tokens.

• Attackers can perform cross-client token exchanges, gaining access to services without proper authorization.
• Expired authorization codes can be reused to obtain valid tokens beyond their intended expiration, increasing the window of opportunity for attackers.

The vulnerability has a CVSS v3 base score of 8.5, indicating high severity, with low attack complexity and no user interaction required, making it relatively easy to exploit remotely.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exchange an authorization code issued for one OIDC client using the credentials of a different client. If the token endpoint returns a valid access token instead of rejecting the request, the system is vulnerable.'}, {'type': 'paragraph', 'content': "A practical detection method involves performing a test similar to the proof-of-concept: reset test data, then try exchanging an authorization code from one client (e.g., Nextcloud) using another client's credentials (e.g., Immich). If the server responds with HTTP 200 and valid tokens, the vulnerability exists."}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment and tools, but generally you can use curl or similar HTTP clients to send token exchange requests to the OIDC token endpoint with mismatched client IDs and authorization codes.'}, {'type': 'list_item', 'content': "Use curl to send a POST request to the token endpoint with an authorization code issued for Client A but with Client B's credentials."}, {'type': 'list_item', 'content': 'Check the HTTP response code and token audience in the response to verify if the token was issued incorrectly.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Pocket ID OIDC provider to version 2.4.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, consider restricting access to the token endpoint to trusted clients only and monitor for suspicious token exchange activity.

Additionally, review and tighten authorization code validation logic if you maintain a custom fork or implementation, ensuring that authorization codes are rejected if either the client ID is incorrect or the code is expired (using a logical OR condition).

Useful 0 Not Useful 0