Upstream information
Description
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CVSS detail | CNA (GitHub) | National Vulnerability Database |
|---|---|---|
| Base Score | 8.5 | 7.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Changed | Unchanged |
| Confidentiality Impact | High | High |
| Integrity Impact | Low | Low |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Security Advisories:
- SUSE-SU-2026:1042-1, published 2026-03-25T15:06:58Z
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
SUSE Timeline for this CVE
CVE page created: Tue Mar 10 20:01:01 2026CVE page last modified: Thu Mar 26 01:45:11 2026