CVE-2026-50627
Modified
Modified - Updated After Analysis
Apache CXF JWT Audience Claim Validation Bypass
Vulnerability report for CVE-2026-50627, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-12
Last updated on: 2026-07-02
Assigner: Apache Software Foundation
Description
Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cxf | to 4.1.7 (exc) |
| apache | cxf | From 4.2.0 (inc) to 4.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
| CWE-289 | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |