Authentication Bypass in Apache CXF's JwsJsonContainerRequestFilter
CVE-2026-50634
6.5MEDIUM
What is CVE-2026-50634?
A weakness in Apache CXF's JwsJsonContainerRequestFilter allows unauthorized processing of metadata without authentication of the accepted signature. This vulnerability can disrupt the application's reliance on expected Content-Type or HTTP-header metadata that should originate from a verified signature. It may lead to improper handling of downstream JAX-RS entity parsing or violate signed-header consistency checks. Users are urged to update to versions 4.2.2 or 4.1.7 to mitigate this issue.
Affected Version(s)
Apache CXF 4.2.0 < 4.2.2
Apache CXF 0 < 4.1.7