How is CVE-2026-50629 exploited?

Network reachability (required): The attacker must reach the Apache CXF OAuth2 endpoint over the network; no local access or special network position is required beyond a standard HTTP connection. Authentication (not-required): No account or credentials are needed; the injection is carried in the unauthenticated clientId parameter of an OAuth2 request. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors must be satisfied.

What is the impact of CVE-2026-50629?

Attacker writes forged log entries that masquerade as legitimate server events, undermining audit trails and forensic investigations. Attacker injects newline and control characters to hide evidence of prior malicious activity within the same log stream. Attacker reads confidential data surfaced in log context, such as OAuth2 token fragments or session identifiers written alongside the injected clientId.

Back to search

HIGHCVE-2026-50629Published 2026-06-12Modified 2026-06-12CNA apache

CVE-2026-50629: Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

Log injection vulnerability in Apache CXF's OAuth2 server component allows an unauthenticated remote attacker to write arbitrary content into server log files by supplying a crafted clientId parameter in HTTP requests. No authentication or user interaction is needed; the attacker sends a single malformed request over the network. Successful exploitation enables an attacker to forge fake log entries, obscure real audit trails, and read log-accessible credential or token data. A patched-image rebuild at versions 4.1.7 or 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50629 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Apache CXF. Coverage applies to all image layers that carry an affected version of the library.

Available

Triage

HarborGuard scores this CVE at CVSS 8.2 (HIGH) and weights it against each environment's compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

A patched-image rebuild targeting Apache CXF 4.1.7 or 4.2.2 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Apache CXF OAuth2 endpoint over the network; no local access or special network position is required beyond a standard HTTP connection.
AuthenticationNot required
No account or credentials are needed; the injection is carried in the unauthenticated clientId parameter of an OAuth2 request.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors must be satisfied.

Blast Radius

Attacker writes forged log entries that masquerade as legitimate server events, undermining audit trails and forensic investigations.
Attacker injects newline and control characters to hide evidence of prior malicious activity within the same log stream.
Attacker reads confidential data surfaced in log context, such as OAuth2 token fragments or session identifiers written alongside the injected clientId.

How HarborGuard Handles This

Available on HarborGuard: detection runs automatically against all images containing Apache CXF versions prior to 4.1.7 or 4.2.2, matching on the exact library artifact regardless of base image. For customers who opt into auto-remediation, a rebuilt image at the fix version is generated, a regression test run is executed, and a pull request is opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits immediate remediation, teams can expect minimal manual steps. Customers who have not enabled auto-remediation will see the affected images flagged in their HarborGuard dashboard with a direct pointer to the 4.1.7 or 4.2.2 fix versions and rebuild instructions.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available