πŸ” CVE Alert

CVE-2026-50629

UNKNOWN 0.0

Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CWE CWE-93
Vendor apache software foundation
Product apache cxf
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache cxf

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache cxf are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Apache Software Foundation / Apache CXF
4.2.0 < 4.2.2 0 < 4.1.7

References

NVD β†— CVE.org β†— EPSS Data β†—
lists.apache.org: https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00 openwall.com: http://www.openwall.com/lists/oss-security/2026/06/11/6

Credits

Guanping Zhang reported this vulnerability.