CVE-2026-50630
Received Received - Intake
CRLF Injection in Apache OAuth2 AuthorizationUtils

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50630
EUVD
EUVD-2026-36398
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf 4.1.7
apache cxf 4.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50630 is a CRLF (Carriage Return Line Feed) injection vulnerability found in the OAuth2 AuthorizationUtils class of Apache CXF. The vulnerability occurs because the 'realm' parameter in the WWW-Authenticate response header is concatenated without sanitizing CR and LF characters. This allows an attacker who can control the realm value to inject arbitrary HTTP headers or even split the HTTP response entirely.

Impact Analysis

This vulnerability can allow an attacker to manipulate HTTP responses by injecting arbitrary headers or splitting the HTTP response. This can lead to security issues such as HTTP response splitting attacks, which may be used to perform web cache poisoning, cross-site scripting (XSS), or other malicious activities that compromise the integrity and security of web communications.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade the affected Apache CXF OAuth2 module to versions 4.2.2 or 4.1.7, which contain the fix for this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart