CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

Colm O hEigeartaigh Thu, 11 Jun 2026 09:52:11 -0700

Severity: important 

Affected versions:


- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' 
(Audience) claims of incoming JWT access tokens. This allows a JWT issued for 
one Resource Server to be successfully replayed against a completely different 
Resource Server, leading to Token Confusion/Routing attacks. Users are 
recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Credit:

Guanping Zhang reported this vulnerability. (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-50627

CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

Reply via email to