{"id":"CVE-2026-54431","summary":"Improper Data Validation in liboauth2","details":"In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.\n\nThis issue was fixed in version 2.3.0","modified":"2026-07-15T15:53:47.873655Z","published":"2026-07-02T10:30:57.655Z","database_specific":{"cna_assigner":"CERT-PL","cwe_ids":["CWE-358"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54431.json"},"references":[{"type":"ADVISORY","url":"https://cert.pl/en/posts/2026/07/CVE-2026-54430"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54431.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54431"},{"type":"REPORT","url":"https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800"},{"type":"PACKAGE","url":"https://github.com/OpenIDC/liboauth2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidc/liboauth2","events":[{"introduced":"0"},{"fixed":"c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.3.0"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v2.2.1","v2.2.0","v2.1.1","v2.1.0","v2.0.0","v1.6.3","v1.6.2","v1.6.1","v1.6.0","v1.5.2","v1.5.1","v1.5.0","v1.4.5.5","v1.4.5.4","v1.4.5.3","v1.4.5.2","v1.4.5.1","v1.4.5","v1.4.4.2","v1.4.4.1","v1.4.4","v1.4.3.2","v1.4.3.1","v1.4.3","v1.4.2.1","v1.4.2","v1.4.1","v1.4.0.1","v1.4.0","v1.3.0","v1.1.1","v1.1.0","v1.0.1","v1.0.0"],"database_specific":{"vanir_signatures_modified":"2026-07-15T15:53:47Z","vanir_signatures":[{"deprecated":false,"digest":{"length":1637,"function_hash":"83611846850022088915769138665119651836"},"id":"CVE-2026-54431-2939a05d","signature_type":"Function","signature_version":"v1","source":"https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800","target":{"file":"src/dpop.c","function":"_oauth2_dpop_parse_and_validate"}},{"deprecated":false,"digest":{"function_hash":"23151308740223822434004474857488192091","length":1398},"id":"CVE-2026-54431-c67738d8","signature_type":"Function","signature_version":"v1","source":"https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800","target":{"file":"test/check_oauth2.c","function":"oauth2_check_oauth2_suite"}},{"id":"CVE-2026-54431-e2895ebe","signature_type":"Line","signature_version":"v1","source":"https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800","target":{"file":"src/dpop.c"},"deprecated":false,"digest":{"line_hashes":["67541579385498241229689638919352073542","71105923710531816751393950734704532798","139961722963137673956985017719948636216","127700674184590680035856868189802761110","51097996429359865857972172438617856776","132157232250875614060598125185693908018","156144776036564664485731944246208262585"],"threshold":0.9}},{"signature_version":"v1","source":"https://github.com/openidc/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800","target":{"file":"test/check_oauth2.c"},"deprecated":false,"digest":{"line_hashes":["170549969331734292478327281830221556824","268460145044189232012915006416416909219","124407356090368701310767382921407058748","229014875081080440884533028195834763880","203791388306551613751089239515025163376","311200433798077705135285511528313885251","60674617071991362239702694399017038991","170690881604179245514294911864901380586"],"threshold":0.9},"id":"CVE-2026-54431-e3eb2821","signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54431.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}