{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-50628","status":"final","version":"1","initial_release_date":"2026-06-12T08:56:28.526Z","current_release_date":"2026-06-15T19:28:29.840Z","revision_history":[{"date":"2026-06-12T08:56:28.526Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this\n\nsecurity feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-50628 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-50628"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-50628"},{"category":"external","summary":"lists.apache.org","url":"https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk"}]},"product_tree":{"branches":[{"category":"vendor","name":"Apache Software Foundation","branches":[{"category":"product_name","name":"Apache CXF","branches":[{"category":"product_version_range","name":">=4.2.0 <4.2.2","product":{"name":"Apache Software Foundation Apache CXF >=4.2.0 <4.2.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:apache_software_foundation:apache_cxf:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":"<4.1.7","product":{"name":"Apache Software Foundation Apache CXF <4.1.7","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:apache_software_foundation:apache_cxf:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-50628","title":"Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control","notes":[{"category":"description","text":"A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this\n\nsecurity feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 4.1.7, 4.2.2.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}