Impact
The JwtAccessTokenValidator in Apache CXF fails to validate the 'aud' claim of incoming JWTs, allowing a token issued for one resource server to be replayed against another. This token confusion can grant an attacker access to resources they are not authorized to use, compromising confidentiality and integrity on the victim server. The weakness is a flaw in authentication, identified as CWE‑289.
Affected Systems
Apache CXF versions prior to 4.1.7 and 4.2.2 are affected. Users should ensure they are running at least 4.1.7 for the 4.1 series or 4.2.2 for the 4.2 series, which contain the fix.
Risk and Exploitability
The vulnerability is exploitable over the network, requiring only a valid but misissued JWT to be sent in a request. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the lack of a KEV listing suggests it has not yet been widely exploited, but the impact is high if used. The CVSS score of 9.1 confirms a critical severity. Attackers can remotely use the flaw to bypass authorization without additional credentials.
OpenCVE Enrichment