CVE-2026-50623
Modified Modified - Updated After Analysis

Authentication Bypass in Apache CXF OAuth2 TokenIntrospectionService

Vulnerability report for CVE-2026-50623, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: Apache Software Foundation

Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF.Β Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service.Β Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.1.7 (exc)
apache cxf From 4.2.0 (inc) to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated network attackers to access the OAuth2 TokenIntrospectionService endpoint if authentication is not enabled, potentially exposing sensitive token information.

Such unauthorized access could lead to unauthorized disclosure or misuse of authentication tokens, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

However, this vulnerability only applies if authentication is not enabled on the service, which is considered a misconfiguration. Properly enabling authentication and upgrading to fixed versions mitigates this risk.

Executive Summary

CVE-2026-50623 is an authentication bypass vulnerability in the OAuth2 TokenIntrospectionService of Apache CXF. The issue is caused by a missing 'throw' keyword in the security context check, which allows unauthenticated network attackers to access the introspection endpoint located at /services/oauth2/introspect.

This vulnerability only affects users who have not enabled authentication on the service, meaning it acts as a safeguard in case authentication was forgotten or not configured.

Users are recommended to upgrade to Apache CXF versions 4.2.2 or 4.1.7, which contain fixes for this issue.

Impact Analysis

If you are running an affected version of Apache CXF and have not enabled authentication on the OAuth2 TokenIntrospectionService, an unauthenticated attacker could access the introspection endpoint.

This could potentially allow unauthorized parties to gain information about OAuth2 tokens, which might lead to unauthorized access or misuse of protected resources.

However, if authentication is properly enabled on the service, this vulnerability does not pose a risk.

Detection Guidance

This vulnerability allows unauthenticated access to the OAuth2 TokenIntrospectionService endpoint at /services/oauth2/introspect if authentication is not enabled.

To detect this vulnerability, you can attempt to access the introspection endpoint without authentication and observe if access is granted.

For example, you can use the following command to test access:

  • curl -v http://<server-address>/services/oauth2/introspect

If the endpoint responds without requiring authentication, the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade Apache CXF to version 4.2.2 or 4.1.7, where this vulnerability is fixed.

Additionally, ensure that authentication is properly enabled on the OAuth2 TokenIntrospectionService endpoint to prevent unauthenticated access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50623. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart