Back to overview

CVE-2026-54431

MEDIUM
5.1
CVSS 4.0
Description
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0

Metadata

CVE ID
CVE-2026-54431
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-06-15 13:08 UTC
Published
2026-07-02 10:30 UTC
Last updated
2026-07-02 12:16 UTC
Primary CWE
CWE-358
CWE-358 Improperly Implemented Security Check for Standard
Vendor / Product
OpenIDC / liboauth2
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
OpenIDC liboauth2 0 < 2.3.0
Weakness (CWE)
CWESourceDescription
CWE-358 cna CWE-358 Improperly Implemented Security Check for Standard
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview