Bug 2488302 (CVE-2026-50628)

Summary: CVE-2026-50628 cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: cxf: Unauthorized access due to logic error in OAuthRequestFilter
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anujha, asoldano, bbaranow, bmaxwell, bstansbe, csutherl, dlofthou, dsoumis, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, jclere, jwon, mcarlett, mosmerov, msvehla, nwallace, pdelbell, pesilva, pjindal, plodge, pmackay, rmaucher, rstancel, rstepani, szappis, tcunning, thjenkin, vdosoudi, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OAuthRequestFilter component of cxf. A logic error in this filter inadvertently creates an inverse security check when enabled. This issue causes legitimate requests from a bound IP address to be rejected, while requests from any other IP address are blindly allowed. This could lead to unauthorized access to resources.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-12 10:01:27 UTC
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this

security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Comment 3 errata-xmlrpc 2026-07-09 15:30:15 UTC
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16

Via RHSA-2026:37390 https://access.redhat.com/errata/RHSA-2026:37390