Pocket ID, an OIDC provider, incorrectly validates the authorization code during token exchange. The check requires both the client ID to match and the code to be unexpired before rejecting the request. This logical flaw means that if a client uses a valid code issued to another client, the token endpoint will still accept it, allowing the attacker to obtain tokens for unauthorized clients. Additionally, the same flaw permits re‑use of expired codes, further expanding the potential for abuse. The consequences include unauthorized access to services, data exposure, and potential escalation if the compromised client has elevated privileges.

The affected product is Pocket ID (pocket-id:pocket-id). Versions prior to 2.4.0 have the vulnerability. Users running any earlier release should upgrade to 2.4.0 or later to eliminate the issue.

The CVSS score of 8.5 places this problem in the High severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not included in CISA’s KEV catalog. Attackers could exploit it by crafting a token‑exchange request to the /token endpoint, supplying an authorization code from another client and the corresponding client ID. The flaw allows the code to be accepted without proper validation, leading to token issuance for an unauthorized client. Because the flaw exists server‑side and does not require client‑side manipulation, no special client behavior is necessary for exploitation.