Authentication Bypass in Apache CXF's JwsJsonContainerRequestFilter
CVE-2026-50634

6.5MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50634?

A weakness in Apache CXF's JwsJsonContainerRequestFilter allows unauthorized processing of metadata without authentication of the accepted signature. This vulnerability can disrupt the application's reliance on expected Content-Type or HTTP-header metadata that should originate from a verified signature. It may lead to improper handling of downstream JAX-RS entity parsing or violate signed-header consistency checks. Users are urged to update to versions 4.2.2 or 4.1.7 to mitigate this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mitchell Benjamin / Revamp Studio.
.