Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JwtAccessTokenValidator in Apache CXF fails to validate the 'aud' claim of incoming JWTs, allowing a token issued for one resource server to be replayed against another. This token confusion can grant an attacker access to resources they are not authorized to use, compromising confidentiality and integrity on the victim server. The weakness is a flaw in authentication, identified as CWE‑289.

Affected Systems

Apache CXF versions prior to 4.1.7 and 4.2.2 are affected. Users should ensure they are running at least 4.1.7 for the 4.1 series or 4.2.2 for the 4.2 series, which contain the fix.

Risk and Exploitability

The vulnerability is exploitable over the network, requiring only a valid but misissued JWT to be sent in a request. The absence of an EPSS score and lack of KEV listing suggest it has not yet been widely exploited, but the impact is high if used. The CVSS score is not disclosed in the data, but the nature of the flaw indicates a high severity. Attackers can remotely use the flaw to bypass authorization without additional credentials.

Generated by OpenCVE AI on June 12, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.2 or 4.1.7, whichever applies.
  • Verify that JWT audience and issuer validation is enabled in the application configuration.
  • Monitor application logs for unusual JWT usage and enforce additional access controls.

Generated by OpenCVE AI on June 12, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
Weaknesses CWE-289
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-12T09:28:01.443Z

Reserved: 2026-06-05T10:36:46.172Z

Link: CVE-2026-50627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T10:16:22.587

Modified: 2026-06-12T13:08:47.310

Link: CVE-2026-50627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T10:30:24Z

Weaknesses
  • CWE-289

    Authentication Bypass by Alternate Name