CVE-2026-50628

CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-20 · Input validation

Published June 12, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 15, 2026 Record updated

Identifiers

CVE CVE-2026-50628

CWE CWE-20

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7