| CVE ID | CVE-2026-54430 |
| Publication date | 02 July 2026 |
| Vendor | OpenIDC |
| Product | liboauth2 |
| Vulnerable versions | All before 2.3.0 |
| Vulnerability type (CWE) | Server-Side Request Forgery (SSRF) (CWE-918) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-54431 |
| Publication date | 02 July 2026 |
| Vendor | OpenIDC |
| Product | liboauth2 |
| Vulnerable versions | All before 2.3.0 |
| Vulnerability type (CWE) | Improperly Implemented Security Check for Standard (CWE-358) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in OpenIDC liboauth2 software and participated in coordination of their disclosure.
The vulnerability CVE-2026-54430: liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET request is sent before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path.
The vulnerability CVE-2026-54431: In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.
These issues were fixed in version 2.3.0
Credits
We thank Michał Majchrowicz and Marcin Wyczechowski from AFINE Team for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.