Authentication Bypass in Apache CXF TokenIntrospectionService
CVE-2026-50623

4.8MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50623?

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService within Apache CXF. This issue arises from the absence of a 'throw' keyword during security context validation, enabling unauthenticated network attackers to access the introspection endpoint (/services/oauth2/introspect) if authentication was not enabled on the service. To mitigate this vulnerability, users are advised to upgrade to Apache CXF versions 4.2.2 or 4.1.7.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guanping Zhang reported this vulnerability.
.