Back to overview

CVE-2026-54430

MEDIUM
5.1
CVSS 4.0
Description
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0

Metadata

CVE ID
CVE-2026-54430
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-06-15 13:08 UTC
Published
2026-07-02 10:30 UTC
Last updated
2026-07-02 12:17 UTC
Primary CWE
CWE-918
CWE-918 Server-Side Request Forgery (SSRF)
Vendor / Product
OpenIDC / liboauth2
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
OpenIDC liboauth2 0 < 2.3.0
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918 Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
Back to overview