Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c8ec732534d2 · 2026-03-09T17:26:21.000Z
GHSA-9h33-g3ww-mqff GHSA-qh6q-598w-w6m2
diff --git a/advisories/github-reviewed/2026/03/GHSA-9h33-g3ww-mqff/GHSA-9h33-g3ww-mqff.json b/advisories/github-reviewed/2026/03/GHSA-9h33-g3ww-mqff/GHSA-9h33-g3ww-mqff.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9h33-g3ww-mqff",
+  "modified": "2026-03-09T17:24:27Z",
+  "published": "2026-03-09T17:24:27Z",
+  "aliases": [
+    "CVE-2026-28512"
+  ],
+  "summary": "Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion",
+  "details": "### Impact\nA flaw in callback URL validation allowed crafted `redirect_uri` values containing URL userinfo (`@`) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host.\n\n### Patches\nFixed in `v2.3.1` (commit 3a339e33191c31b68bf57db907f800d9de5ffbc8).\nThe fix replaces delimiter-based callback matching with structured URL pattern matching and updates validation logic/tests.\n\n### Workarounds\n- Reject callback URLs containing userinfo (`@`) at reverse proxy / app policy level if feasible.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/pocket-id/pocket-id/backend"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260228130835-3a339e33191c"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pocket-id/pocket-id"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T17:24:27Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qh6q-598w-w6m2/GHSA-qh6q-598w-w6m2.json b/advisories/github-reviewed/2026/03/GHSA-qh6q-598w-w6m2/GHSA-qh6q-598w-w6m2.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qh6q-598w-w6m2",
+  "modified": "2026-03-09T17:25:53Z",
+  "published": "2026-03-09T17:24:49Z",
+  "aliases": [
+    "CVE-2026-28513"
+  ],
+  "summary": "Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange",
+  "details": "### Summary\n\nThe OIDC token endpoint rejects an authorization code only when **both** the client ID is wrong **and** the code is expired. This allows cross-client code exchange and expired code reuse.\n\n### Details\n\n`backend/internal/service/oidc_service.go:407`\n\n```go\nif authorizationCodeMetaData.ClientID != input.ClientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {\n    return CreatedTokens{}, &common.OidcInvalidAuthorizationCodeError{}\n}\n```\n\n`&&` should be `||`. Current behavior:\n\n| Condition | Expected | Actual |\n|-----------|----------|--------|\n| Wrong client + valid code | Reject | **Accept** |\n| Correct client + expired code | Reject | **Accept** |\n\n### PoC\n\n**Prerequisite:** pocket-id running with `APP_ENV=test` and `BUILD_TAGS=e2etest`. The test user (Tim Cook) must have authorized both Nextcloud and Immich OIDC clients (i.e., `user_authorized_oidc_clients` records exist for both). The seed data includes an authorization code `auth-code` issued for the Nextcloud client.\n\n```bash\n# 1. Seed test data\ncurl -X POST \"http://localhost:1411/api/test/reset?skip-ldap=true\"\n\n# 2. Exchange Nextcloud's auth code using Immich's credentials\ncurl -X POST http://localhost:1411/api/oidc/token \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"grant_type=authorization_code\" \\\n  -d \"code=auth-code\" \\\n  -d \"client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018\" \\\n  -d \"client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x\" \\\n  -d \"redirect_uri=http://immich/auth/callback\"\n# Expected: 400 (wrong client)\n# Actual: 200 with tokens — access_token.aud = Immich client ID\n```\n\n**Verified result:** HTTP 200 with tokens. The `access_token` audience is `606c7782-...` (Immich), despite the authorization code being issued for `3654a746-...` (Nextcloud).\n\n### Impact\n\nAny OIDC client operator can exchange authorization codes issued for other clients, obtaining tokens for users who never authorized that client. Expired authorization codes can also be reused with the correct client until the 24-hour cleanup job runs.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/pocket-id/pocket-id/backend"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260307173642-b59e35cb59ae"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pocket-id/pocket-id"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-09T17:24:49Z",
+    "nvd_published_at": null
+  }
+}
