Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
CVE-2026-50629

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50629?

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f23...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Guanping Zhang reported this vulnerability.

CVE-2026-50629 Data

JSON