Update oauth2-oidc-sdk to 11.26

Update nimbus-jose-jwt to 10.0.2

NOTE: oauth2-oidc-sdk:11.26 uses nimbus-jose-jwt:10.0.2

Related gh-14245

Comment From: kguelzau

Will this also be changed in 6.x / 6.5.x ?

Comment From: jgrandja

@kguelzau No it won't. Only patch version updates can happen in patch releases.

Both nimbus dependencies are major version updates so this can only happen in 7.0.

Comment From: daspilker

@jgrandja But does this mean that each application that uses 6.5 will be vulnerable to CVE-2025-53864 until 7.0 is released and the application has been updated to 7.0?

Comment From: uweguenther

@jgrandja can you not reach out to the Nimbus maintainers and request a back port of the CVE-2025-53864 fix to a 9.37.x release.

Andy Wilkinson mentioned in 46478 you have maybe done somthing similar in the past.

Comment From: ThomasKasene

@daspilker I was able to override the com.nimbusds:nimbus-jose-jwt version in my apps:

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.nimbusds</groupId>
                <artifactId>nimbus-jose-jwt</artifactId>
                <version>10.4</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

I can't guarantee that it doesn't have any side effects, but at least in my cases, it appears to work fine.

Comment From: LoganDev99

@daspilker I was able to override the com.nimbusds:nimbus-jose-jwt version in my apps:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.nimbusds</groupId>
            <artifactId>nimbus-jose-jwt</artifactId>
            <version>10.4</version>
        </dependency>
    </dependencies>
</dependencyManagement>

I can't guarantee that it doesn't have any side effects, but at least in my cases, it appears to work fine.

Looks like it's this ticket:

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch