liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches the configured ARN, kid is appended to
alb_base_url without URL encoding or path sanitization, and the HTTP GET
is issued before signature verification. This allows an attacker to force
the server to send a GET request to an attacker-chosen internal path.
This issue was fixed in version 2.3.0
Metrics
Affected Vendors & Products
References
History
Mon, 06 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openidc
Openidc liboauth2 |
|
| Vendors & Products |
Openidc
Openidc liboauth2 |
Sat, 04 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 03 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Thu, 02 Jul 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
Thu, 02 Jul 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0 | |
| Title | Server-Site Request Forgery in liboauth2 | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: CERT-PL
Published: 2026-07-02T10:30:33.766Z
Updated: 2026-07-02T12:17:21.724Z
Reserved: 2026-06-15T13:08:01.056Z
Link: CVE-2026-54430
Updated: 2026-07-02T12:17:17.824Z
No data.