CVE-2026-50627

Vulnerability Description

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Vulnerability Details

Published Date

June 12, 2026

Last Modified

June 12, 2026

CWE ID

CWE-289

Source

NVD

Vendor

Apache Software Foundation

Product

Apache CXF

External References

https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m
http://www.openwall.com/lists/oss-security/2026/06/11/4

CVE-2026-50627

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment