Bug 2496464 (CVE-2026-54431) - CVE-2026-54431 liboauth2: liboauth2: DPoP verifier accepts malformed proof with private key material
Summary: CVE-2026-54431 liboauth2: liboauth2: DPoP verifier accepts malformed proof wi...
Keywords:
Status: NEW
Alias: CVE-2026-54431
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2496726
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-02 11:01 UTC by OSIDB Bzimport
Modified: 2026-07-03 02:21 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-02 11:01:30 UTC
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.

This issue was fixed in version 2.3.0


Note You need to log in before you can comment on or make changes to this bug.