2488298 – (CVE-2026-50627) CVE-2026-50627 apache-cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: Apache CXF: Token Confusion/Routing attacks due to improper validation of JWT audience claims

Bug 2488298 (CVE-2026-50627) - CVE-2026-50627 apache-cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: Apache CXF: Token Confusion/Routing attacks due to improper validation of JWT audience claims

Summary: CVE-2026-50627 apache-cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: Apache C...

Keywords:
Status:	NEW
Alias:	CVE-2026-50627
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 10:01 UTC by OSIDB Bzimport
Modified:	2026-06-15 12:59 UTC (History)
CC List:	33 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 10:01:15 UTC

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Note You need to log in before you can comment on or make changes to this bug.

anujha
asoldano
bbaranow
bmaxwell
bstansbe
csutherl
dlofthou
dsoumis
fmariani
gmalinko
istudens
ivassile
iweiss
janstey
jclere
jwon
mcarlett
mosmerov
msvehla
nwallace
pdelbell
pesilva
pjindal
plodge
pmackay
rmaucher
rstancel
rstepani
szappis
tcunning
thjenkin
vdosoudi
yfang