CVE-2026-28513: Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

March 9, 2026 (updated March 10, 2026)

The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse.

References

github.com/advisories/GHSA-qh6q-598w-w6m2
github.com/pocket-id/pocket-id
github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2
nvd.nist.gov/vuln/detail/CVE-2026-28513

Code Behaviors & Features

Detect and mitigate CVE-2026-28513 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →