Race Condition Vulnerability in Apache AbstractOAuthDataProvider
CVE-2026-50631

7.4HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50631?

A race condition exists in Apache's AbstractOAuthDataProvider, wherein simultaneous requests utilizing the same Refresh Token can circumvent the intended single-use functionality. This occurs when the 'recycleRefreshTokens' option is disabled, allowing malicious actors to generate multiple valid Access Tokens concurrently if they possess a compromised Refresh Token. Users are strongly urged to upgrade to the latest versions 4.2.2 or 4.1.7 to mitigate this issue, thereby securing their authentication processes.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guanping Zhang reported this vulnerability.
.