Skip to main content

Apache CXF EUVD-2026-36398

| CVE-2026-50630 MEDIUM
HTTP Response Splitting (CWE-113)
2026-06-11 GHSA-xf62-wr5p-5p95
Code Injection Cxf
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 LOW
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.7 MEDIUM

Network vector, high complexity (realm control required), scope change to client, low C/I via header injection; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 12, 2026 - 15:22 NVD
CRITICAL MEDIUM
CVSS changed
Jun 12, 2026 - 15:22 NVD
6.5 (CRITICAL) 6.5 (MEDIUM)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 18:21 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authenticate realm parameter to inject arbitrary HTTP headers or split HTTP responses entirely. Affected deployments include cxf-rt-rs-security-oauth2 versions 4.2.0 before 4.2.2 and all versions before 4.1.7. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CXF OAuth2 endpoint accepting realm-influencing input
Delivery
Craft HTTP request embedding CRLF sequences in realm parameter
Exploit
Trigger OAuth2 authentication challenge response
Execution
Server concatenates unsanitized realm into WWW-Authenticate header
Persist
Injected CRLF splits HTTP response
Impact
Victim HTTP client processes attacker-injected headers
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that an attacker can control or influence the 'realm' parameter value that the OAuth2 AuthorizationUtils class uses when constructing the WWW-Authenticate response header. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned severity is 'low', consistent with the conditional exploitation requirement - an attacker must be able to control the realm value used by AuthorizationUtils, which is not universally achievable from an unauthenticated external position. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a web application that exposes an Apache CXF OAuth2 endpoint where the realm value is dynamically derived from a client-controlled input such as a query parameter or Authorization header field. The attacker crafts a request embedding CRLF sequences in the realm value (e.g., realm="legit\r\nSet-Cookie: session=attacker"), causing the server to emit a malformed WWW-Authenticate header. …
Remediation Upgrade to Apache CXF 4.2.2 or 4.1.7, both released on June 10, 2026, per the official Apache CXF project page at https://cxf.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all production and non-production systems running Apache CXF cxf-rt-rs-security-oauth2 versions 4.2.0-4.2.1 or any version prior to 4.1.7; document version numbers, deployment type, and business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN

Share

EUVD-2026-36398 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy