🔐 CVE Alert

CVE-2026-54431

UNKNOWN 0.0

Improper Data Validation in liboauth2

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0

CWE CWE-358
Vendor openidc
Product liboauth2
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for openidc liboauth2

Be the first to know when new unknown vulnerabilities affecting openidc liboauth2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OpenIDC / liboauth2
0 < 2.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
cert.pl: https://cert.pl/en/posts/2026/07/CVE-2026-54430 github.com: https://github.com/OpenIDC/liboauth2 github.com: https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800

Credits

Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)