CVE-2026-54430

Source
https://cve.org/CVERecord?id=CVE-2026-54430
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54430.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54430
Downstream
Published
2026-07-02T10:30:33.766Z
Modified
2026-07-15T01:48:58.719677887Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Server-Site Request Forgery in liboauth2
Details

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbase_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path.

This issue was fixed in version 2.3.0

Database specific
{
    "cna_assigner": "CERT-PL",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54430.json"
}
References

Affected packages

Git / github.com/openidc/liboauth2

Affected ranges

Type
GIT
Repo
https://github.com/openidc/liboauth2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.3.0
v1.4.0
v1.4.0.1
v1.4.1
v1.4.2
v1.4.2.1
v1.4.3
v1.4.3.1
v1.4.3.2
v1.4.4
v1.4.4.1
v1.4.4.2
v1.4.5
v1.4.5.1
v1.4.5.2
v1.4.5.3
v1.4.5.4
v1.4.5.5
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54430.json"