CVE-2026-54431

NameCVE-2026-54431
DescriptionIn liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
liboauth2 (PTS)bullseye1.4.0.1-1vulnerable
bookworm1.4.5.4-1vulnerable
trixie2.1.0-2vulnerable
forky, sid2.3.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
liboauth2source(unstable)2.3.0-1

Notes

Fixed by: https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800 (v2.3.0)

Search for package or bug name: Reporting problems