CVE-2026-54430: CWE-918 Server-Side Request Forgery (SSRF) in OpenIDC liboauth2
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0
AI Analysis
Technical Summary
The liboauth2 library in OpenIDC contains an SSRF vulnerability in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads the signer and kid fields from an unverified JWT header. If the signer matches the configured ARN, the kid value is appended directly to the alb_base_url without URL encoding or path sanitization. This leads to an HTTP GET request being issued to an attacker-chosen internal path before the JWT signature is verified, enabling SSRF attacks. The vulnerability affects versions prior to 2.3.0 and was fixed in 2.3.0.
Potential Impact
An attacker can exploit this vulnerability to make the server perform HTTP GET requests to internal or attacker-controlled URLs, potentially accessing internal resources or services that are otherwise inaccessible externally. The vulnerability does not require user interaction or privileges and has a medium severity with a CVSS 4.0 score of 5.1.
Mitigation Recommendations
A patch is available and the issue is fixed in liboauth2 version 2.3.0. Users should upgrade to version 2.3.0 or later to remediate this vulnerability. Since this is a cloud-hosted service component, the vendor manages remediation for the cloud service; users should verify with the vendor advisory for confirmation of patch deployment. No additional mitigation steps are indicated.
CVE-2026-54430: CWE-918 Server-Side Request Forgery (SSRF) in OpenIDC liboauth2
Description
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET is issued before signature verification. This allows an attacker to force the server to send a GET request to an attacker-chosen internal path. This issue was fixed in version 2.3.0
CVSS v4.0
Score 5.1medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The liboauth2 library in OpenIDC contains an SSRF vulnerability in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads the signer and kid fields from an unverified JWT header. If the signer matches the configured ARN, the kid value is appended directly to the alb_base_url without URL encoding or path sanitization. This leads to an HTTP GET request being issued to an attacker-chosen internal path before the JWT signature is verified, enabling SSRF attacks. The vulnerability affects versions prior to 2.3.0 and was fixed in 2.3.0.
Potential Impact
An attacker can exploit this vulnerability to make the server perform HTTP GET requests to internal or attacker-controlled URLs, potentially accessing internal resources or services that are otherwise inaccessible externally. The vulnerability does not require user interaction or privileges and has a medium severity with a CVSS 4.0 score of 5.1.
Mitigation Recommendations
A patch is available and the issue is fixed in liboauth2 version 2.3.0. Users should upgrade to version 2.3.0 or later to remediate this vulnerability. Since this is a cloud-hosted service component, the vendor manages remediation for the cloud service; users should verify with the vendor advisory for confirmation of patch deployment. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-06-15T13:08:01.056Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a463f4927e9c79719b5b54a
Added to database: 07/02/2026, 10:36:57 UTC
Last enriched: 07/02/2026, 10:51:21 UTC
Last updated: 07/02/2026, 11:43:39 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.