Skip to main content

Apache CXF EUVD-2026-36402

| CVE-2026-50634 MEDIUM
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-11 GHSA-33j8-j763-4fv5
Apache Authentication Bypass Jwt Attack Cxf
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
3.1 LOW

Network-reachable but high complexity; PR:L because exploiting the filter requires a signing credential; integrity impact only, no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 12, 2026 - 16:22 NVD
CRITICAL MEDIUM
CVSS changed
Jun 12, 2026 - 16:22 NVD
6.5 (CRITICAL) 6.5 (MEDIUM)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 20:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Signature Metadata Trust Bypass in Apache CXF - CVE-2026-50634 Jun 12, 2026

AnalysisAI

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid JWS signing credential for target endpoint
Delivery
Craft multi-signature JWS JSON with malicious protected header in first entry
Exploit
Attach valid accepted signature in second entry
Execution
Submit request to JwsJsonContainerRequestFilter-protected endpoint
Persist
Filter accepts second-entry signature but reads first-entry metadata
Impact
Downstream JAX-RS parser acts on attacker-controlled Content-Type or header
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) The target application uses the Apache CXF artifact cxf-rt-rs-security-jose-jaxrs at a vulnerable version (4.2.0-4.2.1 or any version before 4.1.7). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided in the available data, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a legitimate signing key accepted by a deployed Apache CXF JAX-RS endpoint constructs a JWS JSON token with two signature entries: the first contains an attacker-crafted protected header (e.g., a spoofed Content-Type value pointing to a class the application deserializes) but an invalid or absent signature, while the second entry carries the attacker's genuine, accepted signature over the actual payload. The JwsJsonContainerRequestFilter accepts the token because the second signature validates, but then reads the Content-Type from the unverified first entry, causing the JAX-RS layer to deserialize the body using the attacker-specified type. …
Remediation Upgrade to Apache CXF 4.2.2 (for 4.2.x users) or 4.1.7 (for 4.1.x users), both released June 10, 2026 and confirmed by the Apache CXF project at https://cxf.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using Apache CXF versions 4.1.x or 4.2.x, specifically those with cxf-rt-rs-security-jose-jaxrs module in their dependency tree. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-41005 CRITICAL
9.0 Jun 11

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot
CVE-2026-50010 HIGH
7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
CVE-2026-42743 MEDIUM
6.5 Jun 15

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si

Share

EUVD-2026-36402 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy