Description
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this

security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in Apache CXF's OAuthRequestFilter causes the IP binding check to be inverted: requests from the bound IP are rejected while those from any other IP are accepted. The result is that legitimate clients can be denied access and unauthenticated attackers can use arbitrary IP addresses to bypass the binding constraint, thereby obtaining unauthorized access to protected resources. This is a type of improper input validation failure (CWE‑20).

Affected Systems

The vulnerability affects Apache CXF implementations that use an OAuth2 request filter with IP binding enabled. Versions of Apache CXF released before 4.2.2 and 4.1.7 are impacted. Patching to these or newer releases removes the issue.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation is not documented. The risk remains moderate to high because the flaw permits IP spoofing or bypass of IP‑based access controls if the application relies on this binding for security. An attacker could exploit the issue by sending HTTP requests from a non‑bound IP, potentially gaining unauthorized access. Due to the absence of an EPSS score, the likelihood of exploitation is uncertain, but the vulnerability's impact on confidentiality and integrity makes it a serious concern when the affected configuration is in use.

Generated by OpenCVE AI on June 12, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied update to Apache CXF version 4.2.2 or 4.1.7.
  • Disable IP binding enforcement in the OAuthRequestFilter if it is not required for your security model.
  • Validate incoming IP addresses at the application layer, rejecting any that do not match the expected network range.

Generated by OpenCVE AI on June 12, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
Weaknesses CWE-20
References

Subscriptions

Apache Cxf
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-12T09:28:03.551Z

Reserved: 2026-06-05T10:46:30.931Z

Link: CVE-2026-50628

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T10:16:22.710

Modified: 2026-06-12T13:08:47.310

Link: CVE-2026-50628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T11:30:24Z

Weaknesses
  • CWE-20

    Improper Input Validation