CVE-2026-50627
Received Received - Intake
Apache CXF JWT Audience Claim Validation Bypass

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50627
EUVD
EUVD-2026-36395
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.1.7 (inc)
apache cxf to 4.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the JwtAccessTokenValidator class of Apache CXF, where it fails to properly validate the 'aud' (Audience) claim in incoming JWT access tokens.

Because of this failure, a JWT token that was issued for one Resource Server can be replayed and accepted by a completely different Resource Server.

This flaw enables Token Confusion or Routing attacks, where an attacker can misuse tokens across different servers.

Impact Analysis

This vulnerability can allow attackers to reuse JWT access tokens issued for one Resource Server on another Resource Server.

Such token replay can lead to unauthorized access, as the receiving server incorrectly trusts the token without verifying its intended audience.

This can result in security breaches, data exposure, or unauthorized actions within systems relying on Apache CXF for JWT validation.

Mitigation Strategies

To mitigate the CVE-2026-50627 vulnerability, users are advised to upgrade Apache CXF to versions 4.2.2 or 4.1.7, which contain the fix for the JwtAccessTokenValidator class failing to validate the 'aud' claim in JWT access tokens.

Compliance Impact

The vulnerability in Apache CXF's JwtAccessTokenValidator allows JWT tokens issued for one Resource Server to be replayed against a different Resource Server due to failure to validate the 'aud' claim. This can lead to Token Confusion or Routing attacks, potentially allowing unauthorized access to protected resources.

Such unauthorized access risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If attackers exploit this vulnerability, it could result in unauthorized data access or disclosure, thereby violating these regulations' requirements for data confidentiality and integrity.

Therefore, organizations using affected versions of Apache CXF may face compliance challenges unless they upgrade to fixed versions (4.2.2 or 4.1.7) that address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart