CVE-2026-54431
Improper Data Validation in liboauth2
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0
| CWE | CWE-358 |
| Vendor | openidc |
| Product | liboauth2 |
| Published | Jul 2, 2026 |
| Last Updated | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for openidc liboauth2
Be the first to know when new unknown vulnerabilities affecting openidc liboauth2 are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
OpenIDC / liboauth2
0 < 2.3.0
References
Credits
Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)