Skip to main content

Apache CXF EUVD-2026-36397

| CVE-2026-50629 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-11 GHSA-f8p7-h97q-7vx7
Code Injection Cxf
5.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.3 LOW
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible OAuth2 endpoint accepts clientId without prior authentication; impact is limited to log integrity corruption with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 12, 2026 - 16:22 NVD
HIGH MEDIUM
CVSS changed
Jun 12, 2026 - 16:22 NVD
8.2 (HIGH) 5.3 (MEDIUM)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 18:21 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Log injection in Apache CXF's OAuth2 module (org.apache.cxf:cxf-rt-rs-security-oauth2) permits remote attackers to forge arbitrary log entries by supplying crafted clientId values containing control characters or newline sequences in OAuth2 HTTP requests. Affected are CXF 4.2.0-4.2.1 and all 4.1.x versions before 4.1.7; fixed releases 4.2.2 and 4.1.7 were issued June 10, 2026. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send OAuth2 HTTP request to CXF endpoint
Delivery
Supply clientId containing embedded CRLF sequences and forged log text
Exploit
Server concatenates raw clientId into log warning message
Execution
Injected content written to log file as apparently legitimate server entry
Impact
SIEM or analyst misled by fabricated log data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Apache CXF deployment includes the `cxf-rt-rs-security-oauth2` module and exposes an active OAuth2 server endpoint reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor classifies this as Low severity, which is appropriate given that the sole exploitable impact is log file integrity - no code execution, data exfiltration, or service disruption is achievable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends an OAuth2 authorization or token request to the CXF server with a `clientId` value such as `legitimate-client\nWARN 2026-06-11 00:00:00 Successful admin login from 10.0.0.1`. The server logs this clientId verbatim as part of a warning message, causing the injected text to appear as a distinct, legitimate-looking log entry. …
Remediation Upgrade to Apache CXF 4.2.2 if running any 4.2.x build, or to 4.1.7 if running any 4.1.x build; both releases were made available June 10, 2026, and are downloadable from https://cxf.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running org.apache.cxf:cxf-rt-rs-security-oauth2 versions 4.1.0-4.1.6 or 4.2.0-4.2.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN

Share

EUVD-2026-36397 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy