CVE-2026-50623

MEDIUM

Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

Title source: cna

Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/11/3

Scores

CVSS v3 6.5

EPSS 0.0052

EPSS Percentile 39.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (3)

apache/cxf < 4.1.7

Apache Software Foundation/Apache CXF < 4.1.7

Apache Software Foundation/Apache CXF 4.2.0 - 4.2.2

Published Jun 12, 2026

Tracked Since Jun 12, 2026