<Vulnerability name="CVE-2026-54430">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-02T10:30:33</PublicDate>
    <Bugzilla id="2496465" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496465" xml:lang="en:us">
liboauth2: liboauth2: Server-Side Request Forgery allows unauthorized internal network access
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-918</CWE>
    <Details xml:lang="en:us" source="Mitre">
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches the configured ARN, kid is appended to
alb_base_url without URL encoding or path sanitization, and the HTTP GET
is issued before signature verification. This allows an attacker to force
the server to send a GET request to an attacker-chosen internal path.

This issue was fixed in version 2.3.0
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in liboauth2 in the oauth2_jose_jwks_aws_alb_resolve()
function. The AWS ALB JWT verifier reads the signer and kid fields from
the unverified JWT header. When signer matches the configured ARN, kid is
appended to the ALB base URL without path sanitization, and an HTTP GET
request is issued before signature verification. An attacker who can
present a crafted JWT to an endpoint using AWS ALB verification could
force the server to issue GET requests to unintended internal paths,
potentially disclosing limited information from internal services.
    </Details>
    <Statement xml:lang="en:us">
This Moderate flaw in liboauth2 allows for Server-Side Request Forgery (SSRF) when an application uses AWS ALB JWT verification. An attacker can craft a JWT to force the server to make GET requests to internal network paths, potentially exposing limited internal service information. This requires the vulnerable component to be configured with AWS ALB JWT verification.
    </Statement>
    <Mitigation xml:lang="en:us">
Restrict network access to the application endpoint that processes
AWS ALB-signed JWTs to trusted sources only. If the AWS ALB verification
feature (oauth2_jose_jwks_aws_alb_resolve) is not required, disable it in the
liboauth2 configuration. Upgrade to liboauth2 version 2.3.0 or later to fully
resolve this vulnerability.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-54430
https://nvd.nist.gov/vuln/detail/CVE-2026-54430
https://cert.pl/en/posts/2026/06/CVE-2026-54430
https://github.com/OpenIDC/liboauth2
https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b
    </References>
</Vulnerability>