CVE-2026-50628
Last modified
CVE-2026-50628 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | < 4.1.7 |
| Apache | Cxf | >= 4.2.0, < 4.2.2 |
References
- http://www.openwall.com/lists/oss-security/2026/06/11/5Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2026-50628?
How severe is CVE-2026-50628?
How do I fix CVE-2026-50628?
Are you affected by CVE-2026-50628?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST