OAuth2 Server Log Injection Vulnerability in Apache
CVE-2026-50629

5.3MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50629?

The vulnerability identified in the Apache OAuth2 server arises from the improper handling of the 'clientId' parameter in incoming HTTP requests. This parameter is directly concatenated into server log warning messages without sanitizing control characters, allowing attackers to inject arbitrary data into the server logs. This could lead to misleading log entries and potentially obscure genuine security events. Users are advised to upgrade to versions 4.2.2 or 4.1.7 to address this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guanping Zhang reported this vulnerability.
.