CVE-2026-43983HIGH 8.1EPSS p15.7%

CVE-2026-43983CVE-2026-43983

Description

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.25% probability of exploitation · percentile 15.7% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-13

Underlying weaknesses· 2

CWE-285CWE-613

References

  1. https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44
  2. https://github.com/pocket-id/pocket-id/security/advisories/GHSA-w6p7-2fxx-4f44

2

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43911
CVE
CVE-2026-9802
CVE
CVE-2026-8922
CVE
CVE-2026-43585
CVE
CVE-2026-9097
CVE
CVE-2026-28275
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.