How is CVE-2026-50628 exploited?

Network reachability (required): The attacker must reach the Apache CXF service over the network; no local or physical access is needed. Authentication (not-required): No credentials or session token are needed; the inverted IP check allows unauthenticated requests from any non-bound IP address. Victim interaction (not-required): The attacker sends requests directly to the service; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free: the logic error triggers consistently on any request arriving from an IP that is not the configured bound address.

What is the impact of CVE-2026-50628?

Reads OAuth2-protected resources, which may include session tokens, access tokens, and any data exposed by the CXF service. Writes or modifies data through OAuth2-protected endpoints, including altering records or issuing unauthorized API operations. Crashes or degrades the affected Apache CXF service by sending malformed or high-volume requests through the unguarded filter path. Bypasses all IP-binding security controls, meaning any network-reachable attacker is treated as a trusted, pre-authorized client.

Back to search

CRITICALCVE-2026-50628Published 2026-06-12Modified 2026-06-15CNA apache

CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass affects Apache CXF's OAuth2 request filter (OAuthRequestFilter) due to an inverted IP address binding check. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected service; a patched-image rebuild at versions 4.1.7 and 4.2.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Apache and NVD feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Apache CXF.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and weights it against each environment's compliance policy to determine urgency and routing, surfacing it to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Apache CXF 4.1.7 or 4.2.2 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Apache CXF service over the network; no local or physical access is needed.
AuthenticationNot required
No credentials or session token are needed; the inverted IP check allows unauthenticated requests from any non-bound IP address.
Victim interactionNot required
The attacker sends requests directly to the service; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: the logic error triggers consistently on any request arriving from an IP that is not the configured bound address.

Blast Radius

Reads OAuth2-protected resources, which may include session tokens, access tokens, and any data exposed by the CXF service.
Writes or modifies data through OAuth2-protected endpoints, including altering records or issuing unauthorized API operations.
Crashes or degrades the affected Apache CXF service by sending malformed or high-volume requests through the unguarded filter path.
Bypasses all IP-binding security controls, meaning any network-reachable attacker is treated as a trusted, pre-authorized client.

How HarborGuard Handles This

Available on HarborGuard: images containing Apache CXF versions affected by CVE-2026-50628 are flagged at ingest, and rebuilt images pinned to 4.1.7 (for the 4.1.x line) or 4.2.2 (for the 4.2.x line) are available immediately. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the new image, and opens a PR against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who cannot immediately upgrade should consider applying network policy to restrict inbound access to Apache CXF endpoints at the infrastructure layer, and should disable the OAuthRequestFilter IP-binding feature entirely until the patched version is deployed, since enabling it in affected versions actively weakens security rather than strengthening it.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available