CVE-2026-50630

CVE Database · CVE-2026-50630

CVE-2026-50630

· MEDIUMAnalyzed

CVSS v3.1

6.5

EPSS

0.50%

Published

Jun 12, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses (CWE)

CWE-113

Affected Products (2)

apache · cxf (up to 4.1.7)vulnerable

apache · cxf (up to 4.2.2)vulnerable

References (2)

https://lists.apache.org/thread/bt7vnjzzkpd6vdhkxv103poor1jy5trm

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/7

Mailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs