Race Condition Vulnerability in Apache AbstractOAuthDataProvider
CVE-2026-50631
7.4HIGH
What is CVE-2026-50631?
A race condition exists in Apache's AbstractOAuthDataProvider, wherein simultaneous requests utilizing the same Refresh Token can circumvent the intended single-use functionality. This occurs when the 'recycleRefreshTokens' option is disabled, allowing malicious actors to generate multiple valid Access Tokens concurrently if they possess a compromised Refresh Token. Users are strongly urged to upgrade to the latest versions 4.2.2 or 4.1.7 to mitigate this issue, thereby securing their authentication processes.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7