CVE-2026-50634
Analyzed Analyzed - Analysis Complete

Authentication Bypass in Apache CXF JwsJsonContainerRequestFilter

Vulnerability report for CVE-2026-50634, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.1.7 (exc)
apache cxf From 4.2.0 (inc) to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache CXF's JwsJsonContainerRequestFilter and allows an attacker to manipulate metadata that was not authenticated by the accepted signature.

Because of this flaw, the application may incorrectly trust `Content-Type` or protected HTTP-header metadata that it assumes came from a verified signature.

This can lead to bypassing security checks related to JAX-RS entity parsing or signed-header consistency.

The issue affects Apache CXF versions 4.2.0 before 4.2.2 and versions before 4.1.7, and users are recommended to upgrade to versions 4.2.2 or 4.1.7 to fix the problem.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass the application's assumptions about the authenticity of certain HTTP metadata.

As a result, attackers may manipulate the processing of HTTP headers or entity parsing, potentially leading to unauthorized actions or data being processed incorrectly.

This could undermine the security of applications relying on Apache CXF for handling signed HTTP requests, possibly leading to data integrity or trust issues.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache CXF to versions 4.2.2 or 4.1.7, which contain fixes for this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart