CRLF Injection Vulnerability in OAuth2 AuthorizationUtils by Apache
CVE-2026-50630
6.5MEDIUM
What is CVE-2026-50630?
A vulnerability exists in the OAuth2 AuthorizationUtils class from Apache, where the 'realm' parameter in the WWW-Authenticate response header is not properly sanitized for Carriage Return (CR) and Line Feed (LF) characters. This flaw allows an attacker to control the realm value, potentially leading to arbitrary HTTP header injection or complete HTTP response splitting. Users are strongly advised to upgrade to the latest fixed versions to mitigate risk.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7