CVE-2026-43983
Pocket · pocket-id
Pocket ID contains authorization and session management flaws, permitting authenticated users to bypass security controls or maintain invalid sessions.
Executive summary
A critical authorization and session management vulnerability in Pocket ID could allow attackers to bypass security controls and maintain unauthorized access to services.
Vulnerability
This vulnerability involves Improper Authorization (CWE-285) and Insufficient Session Expiration (CWE-613). It allows an authenticated user to perform actions they are not authorized to access or maintain sessions longer than intended.
Business impact
These flaws undermine the OIDC provider's security model, potentially allowing attackers to maintain persistence or perform actions on behalf of other users. Given the CVSS score of 8.1, the impact on identity management systems is severe, as it threatens the trust and authentication integrity of all services relying on Pocket ID.
Remediation
Immediate Action: Update Pocket ID to version 2.6.0 or later to ensure proper authorization checks and session expiration logic are enforced.
Proactive Monitoring: Monitor authentication and session logs for anomalous login durations or users attempting to access restricted administrative functions.
Compensating Controls: Implement additional session validation at the service provider level and enforce short-lived session tokens as a temporary defense-in-depth measure.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The security of an OIDC provider is paramount to the entire ecosystem it protects. Given the existence of a proof-of-concept and the nature of the authorization bypass, immediate migration to version 2.6.0 is essential to protect user sessions and prevent unauthorized access to integrated services.