CVE-2026-50627

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CWE: CWE-289

Description

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-50627
[Other]https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m
[Other]http://www.openwall.com/lists/oss-security/2026/06/11/4

Related CVEs

Same CWE

CVE-2026-43617 — Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enfo... (4.8 MEDIUM)
CVE-2023-1803 — Authentication Bypass by Alternate Name vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass.This issue ... (9.8 CRITICAL)