Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService
CVE-2026-50623

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50623?

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hf...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Guanping Zhang reported this vulnerability.

CVE-2026-50623 Data

JSON