CVE-2026-50634
Received Received - Intake
Authentication Bypass in Apache CXF JwsJsonContainerRequestFilter

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description
A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50634
EUVD
EUVD-2026-36402
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.2.2 (exc)
apache cxf to 4.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache CXF's JwsJsonContainerRequestFilter and allows an attacker to manipulate metadata that was not authenticated by the accepted signature.

Because of this flaw, the application may incorrectly trust `Content-Type` or protected HTTP-header metadata that it assumes came from a verified signature.

This can lead to bypassing security checks related to JAX-RS entity parsing or signed-header consistency.

The issue affects Apache CXF versions 4.2.0 before 4.2.2 and versions before 4.1.7, and users are recommended to upgrade to versions 4.2.2 or 4.1.7 to fix the problem.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass the application's assumptions about the authenticity of certain HTTP metadata.

As a result, attackers may manipulate the processing of HTTP headers or entity parsing, potentially leading to unauthorized actions or data being processed incorrectly.

This could undermine the security of applications relying on Apache CXF for handling signed HTTP requests, possibly leading to data integrity or trust issues.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache CXF to versions 4.2.2 or 4.1.7, which contain fixes for this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart