CVE-2026-28512: Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

March 9, 2026 (updated March 10, 2026)

A flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host.

References

github.com/advisories/GHSA-9h33-g3ww-mqff
github.com/pocket-id/pocket-id
github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8
github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff
nvd.nist.gov/vuln/detail/CVE-2026-28512

Code Behaviors & Features

Detect and mitigate CVE-2026-28512 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →