Token Validation Flaw in Apache CXF Affects Multiple Resource Servers
CVE-2026-50627

9.1CRITICAL

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50627?

A vulnerability exists in the JwtAccessTokenValidator class of Apache CXF, where it fails to properly validate the 'aud' (Audience) claims of incoming JWT access tokens. This flaw allows an attacker to reuse a JWT that was issued for one Resource Server and present it to a different Resource Server, leading to potential Token Confusion or routing attacks. It is crucial for users to upgrade to versions 4.2.2 or 4.1.7 to mitigate this security risk.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guanping Zhang reported this vulnerability.
.