The flaw is a CRLF injection in the OAuth2 AuthorizationUtils class of Apache CXF. When the WWW-Authenticate header is built, the realm value is concatenated without escaping Carriage Return or Line Feed characters. If an attacker can influence the realm, the resulting header can contain injected CRLF sequences that create additional HTTP headers or split the response, allowing tampering with the response sent to a client. This can lead to manipulation of client behavior or content loading, and may enable phishing or other attacks via header injection.

Applies to Apache CXF versions prior to 4.2.2 and 4.1.7. Users running these releases should upgrade to the fixed versions to eliminate the vulnerability. No other vendor or product was listed in the CNA data, so only the Apache CXF community is affected.

The CVSS score is 6.5, indicating a medium severity. The vulnerability is a classic HTTP response splitting flaw (CWE‑113) with potentially serious impact on confidentiality and integrity of HTTP responses. The EPSS score is < 1%, indicating low exploitation probability, and the issue is not listed in the CISA KEV catalog. Because the attack requires controlling the realm parameter in an OAuth2 authentication flow, the attack vector is likely internal or requires HTTP request manipulation. No publicly documented exploit exists, but the low EPSS score suggests that exploitation is uncommon; nevertheless, the nature of header injection makes the vulnerability high risk if the affected code is exposed to untrusted inputs.