CVE Catalog

CVE-2026-54431

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Summary

In the liboauth2 library, the DPoP verifier accepts a proof whose jwk header contains private key material. The oauth2_token_verify() function returns success for a malformed DPoP proof embedding a private EC key, violating RFC 9449 requirements.

Risk Assessment

An attacker can exploit this vulnerability to impersonate an authorized user or device, leading to unauthorized access to protected resources and potential data theft.

Recommendation

Immediately update the liboauth2 library to version 2.3.0 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0

Vulnerability data from NVD (NIST) · CISA KEV · EPSS