📄 Description (English)
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. This vulnerability is fixed in 2.4.0.
🤖 AI Executive Summary
Pocket ID OIDC provider versions prior to 2.4.0 contain an authorization code validation flaw (CWE-863) allowing attackers to exchange authorization codes across different clients or reuse expired codes. This critical authentication bypass affects any organization using Pocket ID for passkey-based authentication. The vulnerability has public exploits available and requires immediate patching to prevent unauthorized access to integrated services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 02:51
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Pocket ID for authentication—particularly in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and telecommunications companies—face critical risk of unauthorized access. The vulnerability enables attackers to bypass passkey authentication and gain access to sensitive systems without valid credentials. Financial institutions and government portals are at highest risk due to the sensitivity of data accessed through these authentication systems.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE: Identify all instances of Pocket ID in your environment and document version numbers
2. URGENT: Upgrade all Pocket ID deployments to version 2.4.0 or later immediately
3. INTERIM CONTROL: If immediate patching is not possible, implement strict token validation at the application layer—verify that authorization codes are single-use and validate client ID matches on every token exchange
4. DETECTION: Monitor authentication logs for:
- Multiple token exchange attempts with same authorization code
- Token exchanges from different client IDs using same code
- Successful authentication with expired authorization codes
5. VALIDATION: After patching, conduct penetration testing to confirm authorization code reuse is blocked
6. AUDIT: Review authentication logs for the past 90 days to identify potential exploitation
🔧 خطوات المعالجة (العربية)
1. فوري: حدد جميع حالات Pocket ID في بيئتك وقم بتوثيق أرقام الإصدارات
2. عاجل: قم بترقية جميع نشرات Pocket ID إلى الإصدار 2.4.0 أو أحدث على الفور
3. تحكم مؤقت: إذا لم يكن التصحيح الفوري ممكنًا، قم بتنفيذ التحقق الصارم من الرموز على مستوى التطبيق—تحقق من أن رموز التفويض أحادية الاستخدام والتحقق من تطابق معرف العميل في كل تبديل رمز
4. الكشف: راقب سجلات المصادقة للبحث عن:
- محاولات تبديل رموز متعددة برمز تفويض واحد
- تبديلات الرموز من معرفات عملاء مختلفة باستخدام نفس الرمز
- المصادقة الناجحة برموز التفويض المنتهية الصلاحية
5. التحقق: بعد التصحيح، أجرِ اختبار الاختراق للتأكد من حظر إعادة استخدام رمز التفويض
6. التدقيق: راجع سجلات المصادقة لآخر 90 يومًا لتحديد الاستغلال المحتمل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User authentication and access control
ECC 2024 A.9.4.3 - Password management systems
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software inventory and versioning
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - User registration and access rights management
ISO 27001:2022 A.8.3 - User access provisioning
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default vendor-supplied passwords
PCI DSS 6.2 - Security patches and updates
PCI DSS 8.1 - Assign unique ID to each person with access
🔗 References & Sources 2
📦 Affected Products / CPE 1 entries
pocket-id:pocket_id