πŸ” CVE Alert

CVE-2026-50627

UNKNOWN 0.0

Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CWE CWE-289
Vendor apache software foundation
Product apache cxf
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache cxf are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF
4.2.0 < 4.2.2 0 < 4.1.7

References

NVD β†— CVE.org β†— EPSS Data β†—
lists.apache.org: https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m openwall.com: http://www.openwall.com/lists/oss-security/2026/06/11/4

Credits

Guanping Zhang reported this vulnerability.