Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
CVE-2026-50631

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50631?

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Guanping Zhang reported this vulnerability.

CVE-2026-50631 Data

JSON