A race condition in the OAuth2 data provider allows concurrent requests that reuse the same refresh token when the recycleRefreshTokens flag is set to false. The flaw negates the intended single-use mechanism, permitting a refreshed token to be replayed by multiple attackers or threads, resulting in the generation of several valid access tokens from a single credential. This exposes the system to token replay attacks and potentially escalates privilege if the access tokens grant broad authorization.

The vulnerability applies to versions of Apache CXF released before the public fix versions. Apache CXF users should upgrade to at least 4.2.2 or 4.1.7, the releases that contain a patch for this race condition. Versions running on older releases with recycleRefreshTokens disabled remain susceptible.

The flaw can be exploited once a refresh token is leaked or observed, and it can be abused by any entity capable of sending concurrent requests, thereby creating multiple session tokens. The CVSS score of 7.4 signifies a high severity, while the EPSS score of less than 1% indicates a low probability of exploitation. Although it is not listed in KEV, the potential for widespread unauthorized access makes it a material concern. Attackers can leverage the generated tokens to access protected resources until token revocation or expiration occurs. The flaw is local to token handling logic but can be triggered via remote OAuth flow if the attacker can supply the leaked token.