CVE-2026-50629

MEDIUM

Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier

Title source: cna

Description

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/11/6

Scores

CVSS v3 5.3

EPSS 0.0059

EPSS Percentile 43.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (3)

apache/cxf < 4.1.7

Apache Software Foundation/Apache CXF < 4.1.7

Apache Software Foundation/Apache CXF 4.2.0 - 4.2.2

Published Jun 12, 2026

Tracked Since Jun 12, 2026