CVE-2026-50629
Last modified
CVE-2026-50629 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | < 4.1.7 |
| Apache | Cxf | >= 4.2.0, < 4.2.2 |
References
- http://www.openwall.com/lists/oss-security/2026/06/11/6Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-50629?
How severe is CVE-2026-50629?
How do I fix CVE-2026-50629?
Are you affected by CVE-2026-50629?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST