Unrated severityNVD Advisory· Published Jul 3, 2026
Debian liboauth2: In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a pro…
CVE-2026-54431
Description
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header. This issue was fixed in version 2.3.0
Affected products
1Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.