Vulnerability in Openidc Liboauth2
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_ver…
Affected products
- Openidc Liboauth2 — versions 0
Weakness classification (CWE)
References
- cvd@cert.pl (third-party-advisory)
- cvd@cert.pl (product)
- cvd@cert.pl (issue-tracking)
- cvd@cert.pl (third-party-advisory)