CVE-2026-50627

CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-289

Published June 12, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 15, 2026 Record updated

Identifiers

CVE CVE-2026-50627

CWE CWE-289

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7