HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-43983 — Pocket ID is an OIDC provider that allows users to authenticate with their passk...

·Source: NIST NVD

Updated:

Executive Summary

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorizati

Analysis

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state before issuing new tokens. This allows (1) the client to refresh the token indefinitely after authorization revocation, (2) the refresh token to continue to work after the account is disabled, and (3) the token to work after the client is removed from the group. This vulnerability is fixed in 2.6.0. CVSS Score: 8.1. Published: 2026-05-12T15:16:15.797.

Indicators of Compromise (1)

CVE (1)
CVE-2026-43983
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 12, 2026. Verified by: NIST.

Related Threats

CRITICALVulnerability

NVD CRITICAL: CVE-2018-25335 — WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerabili...

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory.

CVE-2018-25335
NIST NVD
CRITICALVulnerability

NVD CRITICAL: CVE-2018-25332 — GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability...

GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.

CVE-2018-25332
NIST NVD
CRITICALVulnerability

NVD CRITICAL: CVE-2018-25320 — ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code executi...

ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers can use bitsadmin to download malicious PowerShell scripts and execute them with system privileges to establish reverse shells and gain complete system control.

CVE-2018-25320
NIST NVD