CVE-2026-54430
Server-Site Request Forgery in liboauth2
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0
| CWE | CWE-918 |
| Vendor | openidc |
| Product | liboauth2 |
| Published | Jul 2, 2026 |
| Last Updated | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for openidc liboauth2
Be the first to know when new unknown vulnerabilities affecting openidc liboauth2 are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
OpenIDC / liboauth2
0 < 2.3.0
References
Credits
Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)