Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Basic Information

ID CVE-2026-50629

Source apache

Published Jun 12, 2026 at 08:57

Modified Jun 12, 2026 at 14:47

Affected Product

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0

Affected Versions Apache Software Foundation Apache CXF 4.2.0
Apache Software Foundation Apache CXF 0

CWE Classification

CWE-93

References

lists.apache.org /thread/xw95po30p8th58ms1no6b0f2375cql00

{
    "lastseen": "",
    "description": "The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
    "published": "2026-06-12T08:57:22.534Z",
    "modified": "2026-06-12T14:47:44.227Z",
    "type": "cve",
    "title": "Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier",
    "source": "apache",
    "references": "https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00",
    "id": "CVE-2026-50629",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CXF 4.2.0\nApache Software Foundation Apache CXF 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CXF",
    "version": "4.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier_CVE-2026-50629