HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50627Published Modified CNA apache

CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
4.1.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing JWT audience and issuer validation in Apache CXF's JwtAccessTokenValidator class allows a token confusion attack, also called a JWT replay or routing attack. An attacker with access to a valid JWT issued for one resource server can present that token to a completely different resource server, bypassing authorization checks entirely. Successful exploitation gives the attacker full read, write, and availability impact on any resource server that accepts the replayed token. Patched-image rebuilds at versions 4.1.7 and 4.2.2 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-50627 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from Apache and downstream advisories. Coverage extends to custom-built images that bundle Apache CXF, not only official upstream base images.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.1 (Critical) surfaced alongside each affected image, weighted against each customer organization's compliance policy to determine urgency. Routing rules within each customer org direct the finding to the appropriate team inbox based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Apache CXF 4.1.7 or 4.2.2 becomes available in HarborGuard the moment the fix version is indexed from upstream. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target resource server's token-validation endpoint over the network, so the service must be exposed to a network the attacker can access.

  • AuthenticationRequired

    The attacker must possess a valid JWT previously issued by a legitimate authorization server, meaning they need at minimum a low-privilege account on any resource server in the same trust domain to obtain such a token.

  • Victim interactionNot required

    No user interaction is required; the attacker replays the token directly against the target service without any victim action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions, memory layout requirements, or environmental constraints beyond obtaining a valid JWT.

Blast Radius

  • Reads protected resources and data on any resource server that accepts the replayed token, including records and credentials scoped to legitimate users.
  • Modifies or deletes persisted data on affected resource servers because the token grants write-equivalent authorization.
  • Disrupts service availability on affected resource servers through authorized destructive API calls permitted by the replayed token's scope.
  • Lateral movement across multiple resource servers sharing the same authorization server is possible if each server fails to enforce audience validation.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images containing Apache CXF versions prior to 4.1.7 (in the 4.1.x line) or prior to 4.2.2 (in the 4.2.x line). Where compliance policy permits, a patched-image rebuild is queued automatically at the appropriate fix version. For customers who opt into auto-remediation, the typical flow is a rebuild, a regression test run, and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in auto-remediation-enabled environments. Until a rebuild is deployed, compensating controls worth considering include network-policy isolation to restrict which clients can present tokens to each resource server, egress filtering to limit token reuse across service boundaries, and explicit audience claim enforcement added at the API gateway or service mesh layer if the application framework supports it.

See how HarborGuard automates this

Fix available

4.1.74.2.2
Affected packages
  • Apache Software Foundation / Apache CXF
    < 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References