CVE-2026-50630

CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-113 · HTTP response splitting

Published June 12, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 12, 2026 Record updated

Identifiers

CVE CVE-2026-50630

CWE CWE-113

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7