Skip to main content

Apache CXF CVE-2026-50627

| EUVD-2026-36395 CRITICAL
Authentication Bypass by Alternate Name (CWE-289)
2026-06-11 GHSA-9mrv-8pvf-hf4m
Apache Information Disclosure Cxf Red Hat
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable Resource Server, no user interaction, scope changes to a different RS; PR:L because attacker only needs to be a legitimate client of any peer service to mint a usable JWT, not a high-privilege admin.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 15, 2026 - 18:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 18:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 15, 2026 - 18:22 NVD
9.1 (CRITICAL)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 18:23 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource Server to replay it against an unrelated Resource Server because the 'aud' (Audience) claim is not validated. Affects Apache CXF 4.2.0 through 4.2.1 and all versions prior to 4.1.7, enabling cross-service authentication bypass with full confidentiality, integrity, and availability impact on the unintended target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid JWT from shared issuer
Delivery
Identify peer CXF Resource Server
Exploit
Replay token against unintended audience
Execution
Pass JwtAccessTokenValidator without aud check
Persist
Invoke privileged API on victim service
Impact
Exfiltrate or modify data across trust boundary
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target service to use Apache CXF's JwtAccessTokenValidator (i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point in different directions and need to be reconciled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A legitimate but low-trust client of Resource Server A (say, a reporting API) obtains a valid JWT from the shared Authorization Server. Because CXF's JwtAccessTokenValidator on Resource Server B (say, a payments API) does not check that 'aud' equals B, the attacker presents the same bearer token to B and is silently authenticated with the privileges the token carries, allowing data access or modification on a service they were never authorized for. …
Remediation Vendor-released patch: upgrade to Apache CXF 4.2.2 (for the 4.2.x line) or 4.1.7 (for 4.1.x and earlier), both of which add proper validation of the JWT 'aud' claim in JwtAccessTokenValidator; consult https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m and https://seclists.org/oss-sec/2026/q2/887 for the official notice. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all Apache CXF deployments and versions (vulnerable: all prior to 4.1.7 and versions 4.2.0-4.2.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN
CVE-2026-50630 MEDIUM
6.5 Jun 11

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authent

Vendor StatusVendor

Share

CVE-2026-50627 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy