Bug 2496726 - CVE-2026-54431 liboauth2: liboauth2: DPoP verifier accepts malformed proof with private key material [fedora-all]
Summary: CVE-2026-54431 liboauth2: liboauth2: DPoP verifier accepts malformed proof wi...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: liboauth2
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Alexander Bokovoy
QA Contact:
URL:
Whiteboard: {"flaws": ["7eb830f9-d8ef-40ca-a028-b...
Depends On:
Blocks: CVE-2026-54431
TreeView+ depends on / blocked
 
Reported: 2026-07-03 02:20 UTC by Jeremy Choi
Modified: 2026-07-03 02:20 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jeremy Choi 2026-07-03 02:20:19 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.

This issue was fixed in version 2.3.0


Note You need to log in before you can comment on or make changes to this bug.