CVE-2026-50628

CRITICAL

Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

Title source: cna

Description

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/11/5

Scores

CVSS v3 9.8

EPSS 0.0022

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

apache/cxf < 4.1.7

Apache Software Foundation/Apache CXF < 4.1.7

Apache Software Foundation/Apache CXF 4.2.0 - 4.2.2

Published Jun 12, 2026

Tracked Since Jun 12, 2026