Skip to main content

Apache CXF CVE-2026-50628

| EUVD-2026-36396 CRITICAL
Improper Input Validation (CWE-20)
2026-06-11 GHSA-g5v7-jchf-7jrr
Information Disclosure Cxf Red Hat
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Once the optional IP-binding filter is enabled, any remote unauthenticated client from a non-bound IP bypasses the intended control, yielding full C/I/A impact on resources gated by that filter.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 15, 2026 - 18:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 18:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 15, 2026 - 18:22 NVD
9.8 (CRITICAL)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 18:23 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inverted IP-binding check rejects requests from the configured bound IP and permits requests from every other source address. The flaw turns an intended IP allowlist into an implicit deny-list of one, enabling remote unauthenticated attackers to reach protected OAuth endpoints from arbitrary networks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CXF OAuth endpoint with IP-binding enabled
Delivery
Send OAuth request from non-bound IP
Exploit
Inverted filter check admits request
Execution
Reach protected OAuth resource
Impact
Obtain tokens or invoke privileged operation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that an administrator has explicitly enabled the OAuthRequestFilter IP-binding security feature on an Apache CXF deployment running a vulnerable version (anything below 4.1.7 on the 4.1.x line, or 4.2.0 / 4.2.1 on the 4.2.x line); on default configurations without this filter enabled the inverted check is never reached and the vulnerability is not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8 (Critical) and is internally consistent with a remote unauthenticated bypass, but its real-world risk is significantly narrower than the headline number: the issue only manifests when an operator has explicitly enabled OAuthRequestFilter's IP-binding feature, so unaffected default deployments dominate the install base. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a public OAuth endpoint fronted by Apache CXF where the operator enabled OAuthRequestFilter IP-binding to restrict callers to a specific internal address. Because the filter's check is inverted, the attacker simply issues normal OAuth requests from their own external IP and is admitted, while the legitimate bound IP is rejected; from there they can complete OAuth flows and reach protected resources that the operator believed were IP-restricted. …
Remediation Vendor-released patch: upgrade Apache CXF to 4.1.7 on the 4.1.x branch or 4.2.2 on the 4.2.x branch, both of which restore the correct IP comparison semantics in OAuthRequestFilter, per the Apache advisory at https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk and the oss-security disclosure at https://seclists.org/oss-sec/2026/q2/888. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory systems running Apache CXF, specifically identifying deployments of OAuthRequestFilter and assessing network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN
CVE-2026-50630 MEDIUM
6.5 Jun 11

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authent

Vendor StatusVendor

Share

CVE-2026-50628 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy