Description
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this

security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in Apache CXF's OAuthRequestFilter causes the IP binding check to be inverted: requests from the bound IP are rejected while those from any other IP are accepted. The result is that legitimate clients can be denied access and unauthenticated attackers can use arbitrary IP addresses to bypass the binding constraint, thereby obtaining unauthorized access to protected resources. This is a type of improper input validation failure (CWE‑20).

Affected Systems

The vulnerability affects Apache CXF implementations that use an OAuth2 request filter with IP binding enabled. Versions of Apache CXF released before 4.2.2 and 4.1.7 are impacted. Patching to these or newer releases removes the issue.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not been documented. The risk remains high, with a CVSS score of 9.8 indicating critical severity, because the flaw permits IP spoofing or bypass of IP‑based access controls if the application relies on this binding for security. An attacker could exploit the issue by sending HTTP requests from a non‑bound IP, potentially gaining unauthorized access. Due to the low EPSS score, the likelihood of exploitation is uncertain, but the vulnerability's impact on confidentiality and integrity makes it a serious concern when the affected configuration is in use.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied update to Apache CXF version 4.2.2 or 4.1.7.
  • Disable IP binding enforcement in the OAuthRequestFilter if it is not required for your security model.
  • Validate incoming IP addresses at the application layer, rejecting any that do not match the expected network range.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 12 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-02T12:05:00.780Z

Reserved: 2026-06-05T10:46:30.931Z

Link: CVE-2026-50628

cve-icon Vulnrichment

Updated: 2026-06-12T09:28:03.551Z

cve-icon NVD

Status : Modified

Published: 2026-06-12T10:16:22.710

Modified: 2026-06-15T21:17:23.677

Link: CVE-2026-50628

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T08:56:28Z

Links: CVE-2026-50628 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:45:13Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-358

    Improperly Implemented Security Check for Standard