🔐 CVE Alert

CVE-2026-50623

UNKNOWN 0.0

Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

CWE CWE-287
Vendor apache software foundation
Product apache cxf
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache cxf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF
4.2.0 < 4.2.2 0 < 4.1.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗
lists.apache.org: https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7 openwall.com: http://www.openwall.com/lists/oss-security/2026/06/11/3

Credits

Guanping Zhang reported this vulnerability.