Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

AI Analysis

Missing JWT Audience and Issuer Validation in Access Token Validator

Basic Information

ID CVE-2026-50627

Source apache

Published Jun 12, 2026 at 08:55

Modified Jun 15, 2026 at 19:28

Affected Product

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0

Affected Versions Apache Software Foundation Apache CXF 4.2.0
Apache Software Foundation Apache CXF 0

CWE Classification

CWE-289

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0, 4.1.7

References

lists.apache.org /thread/0jfzz9q992957b99tw7hodcqjfyxwb1m

{
    "lastseen": "",
    "description": "The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
    "published": "2026-06-12T08:55:41.657Z",
    "modified": "2026-06-15T19:28:36.208Z",
    "type": "cve",
    "title": "Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator",
    "source": "apache",
    "references": "https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m",
    "id": "CVE-2026-50627",
    "bulletinFamily": "",
    "cwe": [
        "CWE-289"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CXF 4.2.0\nApache Software Foundation Apache CXF 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CXF",
    "version": "4.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Missing JWT Audience and Issuer Validation in Access Token Validator",
    "ai_severity": "Critical",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache CXF",
    "ai_version": "4.2.0, 4.1.7",
    "ai_score": 9.1
}

Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator_CVE-2026-50627