PT-2026-54958 · Liboauth2 · Liboauth2

Marcin Wyczechowski

+1

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-54431

CVSS v4.0

5.1

Medium

VectorAV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions liboauth2 versions prior to 2.3.0
Description The Demonstrating Proof-of-Possession (DPoP) verifier fails to properly validate the JSON Web Key (jwk) header. Specifically, the oauth2 token verify() function returns success even when a malformed DPoP proof embeds private Elliptic Curve (EC) key material in the header, violating RFC 9449 requirements which mandate that such proofs be rejected.
Recommendations Update to version 2.3.0.

Fix

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54431

Affected Products

Liboauth2