Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService_CVE-2026-50623

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

Basic Information

ID CVE-2026-50623

Source apache

Published Jun 12, 2026 at 08:52

Modified Jun 12, 2026 at 15:13

Affected Product

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0

Affected Versions Apache Software Foundation Apache CXF 4.2.0
Apache Software Foundation Apache CXF 0

CWE Classification

CWE-287

References

lists.apache.org /thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7

{
    "lastseen": "",
    "description": "An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF.\u00a0Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service.\u00a0Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.",
    "published": "2026-06-12T08:52:05.767Z",
    "modified": "2026-06-12T15:13:02.371Z",
    "type": "cve",
    "title": "Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService",
    "source": "apache",
    "references": "https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7",
    "id": "CVE-2026-50623",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CXF 4.2.0\nApache Software Foundation Apache CXF 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CXF",
    "version": "4.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}