Advisories for Golang/Github.com/Pocket-Id/Pocket-Id/Backend package

2026

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse.

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

A flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host.