Authentication Bypass in Apache CXF TokenIntrospectionService
CVE-2026-50623
4.8MEDIUM
What is CVE-2026-50623?
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService within Apache CXF. This issue arises from the absence of a 'throw' keyword during security context validation, enabling unauthenticated network attackers to access the introspection endpoint (/services/oauth2/introspect) if authentication was not enabled on the service. To mitigate this vulnerability, users are advised to upgrade to Apache CXF versions 4.2.2 or 4.1.7.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7