Skip to main content

liboauth2 CVE-2026-54430

| EUVDEUVD-2026-41276 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 CERT-PL GHSA-qrcr-3862-9f4c
5.1
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.8 MEDIUM

JWT submitted over network pre-verification requires no privileges; scope changes as SSRF reaches internal systems; no integrity or availability impact on the vulnerable system itself.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 12:02 EUVD
Analysis Generated
Jul 02, 2026 - 11:16 vuln.today

DescriptionCVE.org

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path.

This issue was fixed in version 2.3.0

AnalysisAI

Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the oauth2_jose_jwks_aws_alb_resolve() function reads the unverified kid JWT header field and appends it directly to the configured alb_base_url - without URL encoding or path sanitization - before any cryptographic signature check occurs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate or infer target application's configured ALB signer ARN
Delivery
Craft unsigned JWT with matching signer and malicious kid path payload
Exploit
Submit JWT to liboauth2-protected application endpoint
Execution
Library appends unsanitized kid to alb_base_url pre-verification
Persist
Server issues GET request to attacker-chosen internal path
Impact
Attacker receives or infers response from internal target

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses liboauth2 with the AWS ALB JWT verification mode enabled - specifically, the `oauth2_jose_jwks_aws_alb_resolve()` function must be active in the library configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N, score 5.1) assigns a local attack vector, which is potentially inconsistent with the described scenario: an attacker crafting a JWT and submitting it to a network-exposed application endpoint is a network-reachable operation, not a local one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an application behind an AWS ALB that uses liboauth2 for JWT verification crafts a token with a `signer` field matching the application's configured ALB ARN (obtainable via AWS account enumeration or exposure) and sets `kid` to a path-traversal string such as `../../169.254.169.254/latest/meta-data/iam/security-credentials/`. The attacker submits this JWT to the application's authentication endpoint; before any signature check occurs, the server constructs and fetches the crafted URL, potentially leaking AWS instance metadata or probing internal services. …
Remediation Upgrade liboauth2 to version 2.3.0 or later, which resolves the issue via commit 347507ac5b51f48c2933bbe49b2ee07c2af4712b (https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy