A vulnerability identified as critical has been detected in pocket-id Pocket ID up to 2.5.x . Affected is the function createTokenFromRefreshToken of the component Refresh Token Handler . This manipulation causes improper authorization. This vulnerability appears as CVE-2026-43983 . The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.