CVE-2026-50631

CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-367

Published June 12, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 12, 2026 Record updated

Identifiers

CVE CVE-2026-50631

CWE CWE-367

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7