CVE-2026-50623
Received Received - Intake
Authentication Bypass in Apache CXF OAuth2 TokenIntrospectionService

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF.Β Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service.Β Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50623
EUVD
EUVD-2026-36393
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.2.2 (exc)
apache cxf to 4.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50623 is an authentication bypass vulnerability in the OAuth2 TokenIntrospectionService of Apache CXF. The issue is caused by a missing 'throw' keyword in the security context check, which allows unauthenticated network attackers to access the introspection endpoint located at /services/oauth2/introspect.

This vulnerability only affects users who have not enabled authentication on the service, meaning it acts as a safeguard in case authentication was forgotten or not configured.

Users are recommended to upgrade to Apache CXF versions 4.2.2 or 4.1.7, which contain fixes for this issue.

Impact Analysis

If you are running an affected version of Apache CXF and have not enabled authentication on the OAuth2 TokenIntrospectionService, an unauthenticated attacker could access the introspection endpoint.

This could potentially allow unauthorized parties to gain information about OAuth2 tokens, which might lead to unauthorized access or misuse of protected resources.

However, if authentication is properly enabled on the service, this vulnerability does not pose a risk.

Detection Guidance

This vulnerability allows unauthenticated access to the OAuth2 TokenIntrospectionService endpoint at /services/oauth2/introspect if authentication is not enabled.

To detect this vulnerability, you can attempt to access the introspection endpoint without authentication and observe if access is granted.

For example, you can use the following command to test access:

  • curl -v http://<server-address>/services/oauth2/introspect

If the endpoint responds without requiring authentication, the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade Apache CXF to version 4.2.2 or 4.1.7, where this vulnerability is fixed.

Additionally, ensure that authentication is properly enabled on the OAuth2 TokenIntrospectionService endpoint to prevent unauthenticated access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50623. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart