Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
JWT submitted over network pre-verification requires no privileges; scope changes as SSRF reaches internal systems; no integrity or availability impact on the vulnerable system itself.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path.
This issue was fixed in version 2.3.0
AnalysisAI
Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the oauth2_jose_jwks_aws_alb_resolve() function reads the unverified kid JWT header field and appends it directly to the configured alb_base_url - without URL encoding or path sanitization - before any cryptographic signature check occurs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses liboauth2 with the AWS ALB JWT verification mode enabled - specifically, the `oauth2_jose_jwks_aws_alb_resolve()` function must be active in the library configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N, score 5.1) assigns a local attack vector, which is potentially inconsistent with the described scenario: an attacker crafting a JWT and submitting it to a network-exposed application endpoint is a network-reachable operation, not a local one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an application behind an AWS ALB that uses liboauth2 for JWT verification crafts a token with a `signer` field matching the application's configured ALB ARN (obtainable via AWS account enumeration or exposure) and sets `kid` to a path-traversal string such as `../../169.254.169.254/latest/meta-data/iam/security-credentials/`. The attacker submits this JWT to the application's authentication endpoint; before any signature check occurs, the server constructs and fetches the crafted URL, potentially leaking AWS instance metadata or probing internal services. … |
| Remediation | Upgrade liboauth2 to version 2.3.0 or later, which resolves the issue via commit 347507ac5b51f48c2933bbe49b2ee07c2af4712b (https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41276
GHSA-qrcr-3862-9f4c