CVE-2026-50623 - Vulnerability Details

- Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

Published: 2026-06-12

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw stems from a missing throw statement in the security context check of the OAuth2 TokenIntrospectionService, allowing any unauthenticated caller to invoke the /services/oauth2/introspect endpoint. This results in an authentication bypass (CWE‑287) that can expose token validity and, based on the description, it is inferred that the introspection data may contain sensitive session information.

Affected Systems

Apache CXF deployments that expose the OAuth2 TokenIntrospectionService are affected, specifically versions released before 4.2.2 (for CXF 4.x) or 4.1.7 (for CXF 4.1.x). Any configuration that makes the /services/oauth2/introspect endpoint reachable from external networks can be exploited.

Risk and Exploitability

Because the endpoint accepts unauthenticated requests from any network location, an attacker can trivially read introspection data without credentials. The low EPSS score of less than 1% and absence of inclusion in the CISA KEV catalog do not reduce the potential impact in environments where token details are protected. The risk, reflected in a CVSS score of 6.5, is moderate‑to‑high where the introspection service is exposed externally.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache CXF

unaffected

Version	Status	Constraints
`4.2.0`	affected	< 4.2.2
`0`	affected	< 4.1.7

Configuration 1 [-]

OR	cpe:2.3:a:apache:cxf::::::::
	cpe:2.3:a:apache:cxf::::::::

No data.

Vendor Product Confidence Versions

Apache

Cxf

95%

Version	Status	Scheme	Platform
`[4.2.0,4.2.2)`	affected	semver	—
`[0,4.1.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache CXF to version 4.2.2 (or 4.1.7 for older branches) to apply the missing throw keyword fix.
If an upgrade cannot be performed immediately, bound the /services/oauth2/introspect endpoint by firewall rules so that only trusted internal hosts can reach it.
If the introspection service is not essential, disable it entirely as a temporary workaround until a patch is applied.

Generated by OpenCVE AI on June 12, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/11/3
https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7

History

Fri, 12 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:cxf::::::::

Fri, 12 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache cxf
Vendors & Products		Apache Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/11/3

Fri, 12 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.
Title		Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService
Weaknesses		CWE-287
References		https://lists.apache.org/thread/ydzj8m5mqmjy13xgyj9mkk9hfff63qq7

Subscriptions

Apache Cxf

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-12T08:52:05.767Z

Updated: 2026-06-13T03:55:32.680Z

Reserved: 2026-06-05T10:20:37.692Z

Link: CVE-2026-50623

Vulnrichment

Updated: 2026-06-12T09:27:59.385Z

NVD

Status : Analyzed

Published: 2026-06-12T10:16:22.467

Modified: 2026-06-12T19:07:52.217

Link: CVE-2026-50623

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T20:30:06Z

Weaknesses

CWE-287
Improper Authentication
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object