Back to CVE List

CVE-2026-50631

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.4 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-367
Source
NVD
Vendor
Apache Software Foundation
Product
Apache CXF

External References

Discussion (0)

Add Comment

No comments yet. Be the first!