πŸ” CVE Alert

CVE-2026-50628

UNKNOWN 0.0

Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CWE CWE-20
Vendor apache software foundation
Product apache cxf
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache cxf are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF
4.2.0 < 4.2.2 0 < 4.1.7

References

NVD β†— CVE.org β†— EPSS Data β†—
lists.apache.org: https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk openwall.com: http://www.openwall.com/lists/oss-security/2026/06/11/5

Credits

Guanping Zhang reported this vulnerability