OAuth2 Server Log Injection Vulnerability in Apache
CVE-2026-50629
5.3MEDIUM
What is CVE-2026-50629?
The vulnerability identified in the Apache OAuth2 server arises from the improper handling of the 'clientId' parameter in incoming HTTP requests. This parameter is directly concatenated into server log warning messages without sanitizing control characters, allowing attackers to inject arbitrary data into the server logs. This could lead to misleading log entries and potentially obscure genuine security events. Users are advised to upgrade to versions 4.2.2 or 4.1.7 to address this issue.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7