Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-54430 and CVE-2026-54431) found in OpenIDC liboauth2 software.
Analysis Summary
# Vulnerability: Critical Flaws in OpenIDC liboauth2 (SSRF and DPoP Verification Bypass)
## CVE Details
- **CVE ID**: CVE-2026-54430
- **CVSS Score**: Not provided in report (Estimated: Medium/High)
- **CWE**: CWE-918 (Server-Side Request Forgery)
- **CVE ID**: CVE-2026-54431
- **CVSS Score**: Not provided in report (Estimated: Medium)
- **CWE**: CWE-358 (Improperly Implemented Security Check for Standard)
## Affected Systems
- **Products**: OpenIDC liboauth2
- **Versions**: All versions prior to 2.3.0
- **Configurations**:
- For CVE-2026-54430: Specifically affects deployments using AWS Application Load Balancer (ALB) verification features.
- For CVE-2026-54431: Specifically affects deployments utilizing Demonstrating Proof-of-Possession (DPoP) for token security.
## Vulnerability Description
### CVE-2026-54430: Server-Side Request Forgery (SSRF)
The `oauth2_jose_jwks_aws_alb_resolve()` function fails to properly sanitize inputs leading to an SSRF. The AWS ALB verifier extracts the `signer` and `kid` parameters from an **unverified** JWT header. If the `signer` matches the configured Amazon Resource Name (ARN), the `kid` is appended directly to the `alb_base_url` without URL encoding or path sanitization. The software then issues an HTTP GET request to this constructed URL *before* the signature is verified, allowing an attacker to coerce the server into making requests to internal network paths.
### CVE-2026-54431: Improper DPoP Verification
The `oauth2_token_verify()` function fails to adhere to RFC 9449 security standards regarding Demonstrating Proof-of-Possession (DPoP). Per the standard, a verifier must reject a proof if the JSON Web Key (JWK) header contains private key material. However, liboauth2 incorrectly returns a "success" status even if a malformed DPoP proof embeds a private Elliptic Curve (EC) key in the header.
## Exploitation
- **Status**: Reported via CERT Polska; no current evidence of exploitation in the wild mentioned.
- **Complexity**:
- CVE-2026-54430: Low/Medium (Requires knowledge of the internal ARN).
- CVE-2026-54431: Low (Requires sending a malformed DPoP header).
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (SSRF can lead to internal metadata/service exposure; DPoP bypass affects token security).
- **Integrity**: Medium (Potential for unauthorized internal requests).
- **Availability**: Low/None reported.
## Remediation
### Patches
- **Version 2.3.0**: Users should upgrade to liboauth2 version 2.3.0 or later immediately. This version addresses both the SSRF in the AWS ALB resolver and the logic flaw in the DPoP verifier.
### Workarounds
- No specific software workarounds were provided. It is recommended to disable AWS ALB verification or DPoP features if an upgrade is not immediately possible and these features are not critical to operations.
## Detection
- **Indicators of Compromise**: Monitor outbound HTTP traffic from authenticating servers for unusual GET requests to internal paths or IP addresses, particularly those containing path traversal sequences or unexpected strings in the URL.
- **Detection Methods**: Audit logs for DPoP-enabled applications to identify JWT headers containing private key material (EC keys).
## References
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/vulnerability-advisory/CVE-2026-54430
- **CVE-2026-54430 Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-54430
- **CVE-2026-54431 Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-54431
- **CVD Process**: hxxps[://]cert[.]pl/en/cvd/