🔐 CVE Alert

CVE-2026-54430

UNKNOWN 0.0

Server-Site Request Forgery in liboauth2

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0

CWE CWE-918
Vendor openidc
Product liboauth2
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for openidc liboauth2

Be the first to know when new unknown vulnerabilities affecting openidc liboauth2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OpenIDC / liboauth2
0 < 2.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
cert.pl: https://cert.pl/en/posts/2026/07/CVE-2026-54430 github.com: https://github.com/OpenIDC/liboauth2 github.com: https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b

Credits

Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)