Skip to main content

Liboauth2

2 CVEs product

Monthly

CVE-2026-54431 MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-54430 MEDIUM PATCH This Month

Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the `oauth2_jose_jwks_aws_alb_resolve()` function reads the unverified `kid` JWT header field and appends it directly to the configured `alb_base_url` - without URL encoding or path sanitization - before any cryptographic signature check occurs. No public exploit code has been identified at time of analysis, but the low attack complexity and zero privilege requirement make this a meaningful risk for AWS-integrated deployments where liboauth2 handles ALB token verification.

SSRF Liboauth2
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the `oauth2_jose_jwks_aws_alb_resolve()` function reads the unverified `kid` JWT header field and appends it directly to the configured `alb_base_url` - without URL encoding or path sanitization - before any cryptographic signature check occurs. No public exploit code has been identified at time of analysis, but the low attack complexity and zero privilege requirement make this a meaningful risk for AWS-integrated deployments where liboauth2 handles ALB token verification.

SSRF Liboauth2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy