CVE-2026-54430
Received Received - Intake

Server-Side Request Forgery in liboauth2

Vulnerability report for CVE-2026-54430, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: CERT.PL

Description

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openidc liboauth2 2.3.0
openidc liboauth2 to 2.3.0 (exc)
liboauth2 liboauth2 2.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54430 is a Server-Side Request Forgery (SSRF) vulnerability in the liboauth2 library, specifically in the function oauth2_jose_jwks_aws_alb_resolve(). The vulnerability occurs because the AWS Application Load Balancer (ALB) verifier reads the signer and kid (Key ID) from an unverified JWT header. If the signer matches the configured Amazon Resource Name (ARN), the kid value is appended to the alb_base_url without URL encoding or path sanitization. This allows an attacker to manipulate the URL and force the server to send an HTTP GET request to an attacker-chosen internal path before the JWT signature is verified.

Impact Analysis

This vulnerability can allow an attacker to perform Server-Side Request Forgery (SSRF) attacks by making the vulnerable server send HTTP GET requests to internal or otherwise restricted paths chosen by the attacker. This can lead to unauthorized access to internal resources, potential information disclosure, or further exploitation of internal services that are not directly accessible from outside the network.

Detection Guidance

This vulnerability involves the liboauth2 library's AWS ALB verifier sending HTTP GET requests to attacker-controlled internal paths due to improper URL encoding of the JWT "kid" parameter before signature verification.

To detect exploitation attempts on your network or system, you can monitor outbound HTTP GET requests originating from the affected service that include unusual or unexpected paths appended to the AWS ALB base URL.

Suggested commands include using network monitoring tools or logs to identify suspicious GET requests. For example, using tcpdump or tshark to capture outbound HTTP traffic from the server:

  • tcpdump -i <interface> -A 'tcp port 80 and (((ip src <server_ip>) and (tcp[32:4] = 0x47455420)))'
  • tshark -i <interface> -Y 'http.request.method == "GET" and ip.src == <server_ip>' -T fields -e http.host -e http.request.uri

Additionally, reviewing application logs for requests to the oauth2_jose_jwks_aws_alb_resolve() function or related AWS ALB JWKs URL constructions that contain unencoded or suspicious "kid" values can help detect attempts.

Mitigation Strategies

The primary mitigation step is to upgrade liboauth2 to version 2.3.0 or later, where the vulnerability has been fixed by properly URL-encoding the "kid" parameter before constructing the AWS ALB JWKs URLs.

If upgrading immediately is not possible, consider implementing network-level restrictions to prevent the affected service from making unauthorized outbound HTTP GET requests to internal or untrusted endpoints.

Additionally, monitor logs and network traffic for suspicious GET requests as a temporary detection measure until the patch can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart