Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JwtAccessTokenValidator in Apache CXF fails to validate the 'aud' claim of incoming JWTs, allowing a token issued for one resource server to be replayed against another. This token confusion can grant an attacker access to resources they are not authorized to use, compromising confidentiality and integrity on the victim server. The weakness is a flaw in authentication, identified as CWE‑289.

Affected Systems

Apache CXF versions prior to 4.1.7 and 4.2.2 are affected. Users should ensure they are running at least 4.1.7 for the 4.1 series or 4.2.2 for the 4.2 series, which contain the fix.

Risk and Exploitability

The vulnerability is exploitable over the network, requiring only a valid but misissued JWT to be sent in a request. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the lack of a KEV listing suggests it has not yet been widely exploited, but the impact is high if used. The CVSS score of 9.1 confirms a critical severity. Attackers can remotely use the flaw to bypass authorization without additional credentials.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.2 or 4.1.7, whichever applies.
  • Verify that JWT audience and issuer validation is enabled in the application configuration.
  • Monitor application logs for unusual JWT usage and enforce additional access controls.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
Weaknesses CWE-289
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-02T12:05:01.359Z

Reserved: 2026-06-05T10:36:46.172Z

Link: CVE-2026-50627

cve-icon Vulnrichment

Updated: 2026-06-12T09:28:01.443Z

cve-icon NVD

Status : Modified

Published: 2026-06-12T10:16:22.587

Modified: 2026-06-15T21:17:23.500

Link: CVE-2026-50627

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T08:55:41Z

Links: CVE-2026-50627 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:45:13Z

Weaknesses
  • CWE-289

    Authentication Bypass by Alternate Name

  • CWE-303

    Incorrect Implementation of Authentication Algorithm