CRLF Injection Vulnerability in OAuth2 AuthorizationUtils by Apache
CVE-2026-50630

6.5MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50630?

A vulnerability exists in the OAuth2 AuthorizationUtils class from Apache, where the 'realm' parameter in the WWW-Authenticate response header is not properly sanitized for Carriage Return (CR) and Line Feed (LF) characters. This flaw allows an attacker to control the realm value, potentially leading to arbitrary HTTP header injection or complete HTTP response splitting. Users are strongly advised to upgrade to the latest fixed versions to mitigate risk.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guanping Zhang reported this vulnerability.
.