Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
CVE-2026-50634

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50634?

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption

that accepted Content-Type or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

https://lists.apache.org/thread/9nfwh9d3m4kznxrk1mz98hl0j...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Mitchell Benjamin / Revamp Studio.

CVE-2026-50634 Data

JSON