Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Basic Information

ID CVE-2026-50630

Source apache

Published Jun 12, 2026 at 08:58

Modified Jun 12, 2026 at 14:03

Affected Product

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0

Affected Versions Apache Software Foundation Apache CXF 4.2.0
Apache Software Foundation Apache CXF 0

CWE Classification

CWE-113

References

lists.apache.org /thread/bt7vnjzzkpd6vdhkxv103poor1jy5trm

{
    "lastseen": "",
    "description": "A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
    "published": "2026-06-12T08:58:27.181Z",
    "modified": "2026-06-12T14:03:22.085Z",
    "type": "cve",
    "title": "Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection",
    "source": "apache",
    "references": "https://lists.apache.org/thread/bt7vnjzzkpd6vdhkxv103poor1jy5trm",
    "id": "CVE-2026-50630",
    "bulletinFamily": "",
    "cwe": [
        "CWE-113"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CXF 4.2.0\nApache Software Foundation Apache CXF 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CXF",
    "version": "4.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection_CVE-2026-50630