CVE-2026-50628

CVE Database · CVE-2026-50628

CVE-2026-50628

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

0.68%

Published

Jun 12, 2026

Modified

Jun 15, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-20

Affected Products (2)

apache · cxf (up to 4.1.7)vulnerable

apache · cxf (up to 4.2.2)vulnerable

References (2)

https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/5

Mailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs