CVE-2026-50627
Modified Modified - Updated After Analysis

Apache CXF JWT Audience Claim Validation Bypass

Vulnerability report for CVE-2026-50627, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-07-02

Assigner: Apache Software Foundation

Description

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.1.7 (exc)
apache cxf From 4.2.0 (inc) to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the JwtAccessTokenValidator class of Apache CXF, where it fails to properly validate the 'aud' (Audience) claim in incoming JWT access tokens.

Because of this failure, a JWT token that was issued for one Resource Server can be replayed and accepted by a completely different Resource Server.

This flaw enables Token Confusion or Routing attacks, where an attacker can misuse tokens across different servers.

Impact Analysis

This vulnerability can allow attackers to reuse JWT access tokens issued for one Resource Server on another Resource Server.

Such token replay can lead to unauthorized access, as the receiving server incorrectly trusts the token without verifying its intended audience.

This can result in security breaches, data exposure, or unauthorized actions within systems relying on Apache CXF for JWT validation.

Mitigation Strategies

To mitigate the CVE-2026-50627 vulnerability, users are advised to upgrade Apache CXF to versions 4.2.2 or 4.1.7, which contain the fix for the JwtAccessTokenValidator class failing to validate the 'aud' claim in JWT access tokens.

Compliance Impact

The vulnerability in Apache CXF's JwtAccessTokenValidator allows JWT tokens issued for one Resource Server to be replayed against a different Resource Server due to failure to validate the 'aud' claim. This can lead to Token Confusion or Routing attacks, potentially allowing unauthorized access to protected resources.

Such unauthorized access risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If attackers exploit this vulnerability, it could result in unauthorized data access or disclosure, thereby violating these regulations' requirements for data confidentiality and integrity.

Therefore, organizations using affected versions of Apache CXF may face compliance challenges unless they upgrade to fixed versions (4.2.2 or 4.1.7) that address this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart