Token Validation Flaw in Apache CXF Affects Multiple Resource Servers
CVE-2026-50627
9.1CRITICAL
What is CVE-2026-50627?
A vulnerability exists in the JwtAccessTokenValidator class of Apache CXF, where it fails to properly validate the 'aud' (Audience) claims of incoming JWT access tokens. This flaw allows an attacker to reuse a JWT that was issued for one Resource Server and present it to a different Resource Server, leading to potential Token Confusion or routing attacks. It is crucial for users to upgrade to versions 4.2.2 or 4.1.7 to mitigate this security risk.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7