PT-2026-54958 · Liboauth2 · Liboauth2
Marcin Wyczechowski
+1
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-54431
CVSS v4.0
5.1
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
liboauth2 versions prior to 2.3.0
Description
The Demonstrating Proof-of-Possession (DPoP) verifier fails to properly validate the JSON Web Key (jwk) header. Specifically, the
oauth2 token verify() function returns success even when a malformed DPoP proof embeds private Elliptic Curve (EC) key material in the header, violating RFC 9449 requirements which mandate that such proofs be rejected.Recommendations
Update to version 2.3.0.
Fix
Improperly Implemented Security Check for Standard
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liboauth2