How is CVE-2026-50631 exploited?

Network reachability (required): The OAuth2 token endpoint must be reachable over the network; an attacker sends concurrent HTTP requests to the refresh token endpoint from a remote host. Authentication (not-required): No account or credential is needed beyond possession of a leaked or stolen refresh token, which is the precondition the attacker supplies directly. Victim interaction (not-required): The attack is fully automated via concurrent requests; no user action or social engineering is involved. Attack complexity (info): Attack complexity is high because the exploit depends on winning a narrow timing window between concurrent requests, requiring precise coordination or tooling to reliably trigger the race.

What is the impact of CVE-2026-50631?

An attacker obtains multiple valid access tokens from a single refresh token, extending unauthorized session lifetime beyond what the server intends to permit. Using the fraudulently issued access tokens, the attacker reads protected API resources and stored data accessible to the legitimate token holder. The attacker can modify or write data through API calls authorized by the extra access tokens, affecting any resource the original token scope covers.

Back to search

HIGHCVE-2026-50631Published 2026-06-12Modified 2026-06-12CNA apache

CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

A time-of-check to time-of-use (TOCTOU) race condition in Apache CXF's OAuth2 refresh token handling allows an attacker to replay a single refresh token concurrently and obtain multiple valid access tokens. The vulnerability is reachable over the network without any authentication, but requires winning a timing race between concurrent requests. Successful exploitation lets an attacker read protected resources and tamper with data accessible via the fraudulently issued access tokens. Patched-image rebuilds at versions 4.1.7 and 4.2.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Apache CXF.

Available

Triage

HarborGuard scores this vulnerability at CVSS 7.4 (HIGH) and is capable of weighting that score against each environment's compliance policy to route the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Apache CXF 4.1.7 or 4.2.2 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The OAuth2 token endpoint must be reachable over the network; an attacker sends concurrent HTTP requests to the refresh token endpoint from a remote host.
AuthenticationNot required
No account or credential is needed beyond possession of a leaked or stolen refresh token, which is the precondition the attacker supplies directly.
Victim interactionNot required
The attack is fully automated via concurrent requests; no user action or social engineering is involved.
Attack complexityDetail
Attack complexity is high because the exploit depends on winning a narrow timing window between concurrent requests, requiring precise coordination or tooling to reliably trigger the race.

Blast Radius

An attacker obtains multiple valid access tokens from a single refresh token, extending unauthorized session lifetime beyond what the server intends to permit.
Using the fraudulently issued access tokens, the attacker reads protected API resources and stored data accessible to the legitimate token holder.
The attacker can modify or write data through API calls authorized by the extra access tokens, affecting any resource the original token scope covers.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50631 is active across all scanning pipelines the moment the advisory is ingested, covering both registry images and build-time pipeline scans. Where an affected Apache CXF version (any release before 4.1.7 in the 4.0/4.1 line, or before 4.2.2 in the 4.2 line) is found in a customer image, a rebuilt image at the fix version is made available immediately. For customers who have auto-remediation enabled, HarborGuard can rebuild the image, execute regression tests, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Customers not yet able to upgrade should consider isolating the OAuth2 token endpoint behind a network policy that rate-limits or serializes refresh token requests to reduce the exploitable concurrency window, and should audit recent refresh token activity for signs of concurrent reuse.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available