CRITICAL🇵🇱 Wersja polska

CVE-2026-50628

CVSS 9.8pub. 2026-06-12upd. 2026-07-02

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

🤖 AI Analysis
How it works

A logic error (CWE-20 — improper input validation) occurs in the OAuthRequestFilter module of Apache CXF, which reverses the operation of the IP address verification mechanism. The filter is designed to restrict access only to the associated IP address, but due to the error, it rejects requests from that exact address, while requests from any other IP address are accepted without restrictions. A remote, unauthenticated attacker can fully bypass IP address-based access control.

Impact

An attacker without any authentication can gain unauthorized access to resources protected by the IP filtering mechanism, leading to violations of confidentiality, integrity, and availability of data and services.

Mitigation & patch

Apache CXF should be updated to version 4.2.2 or 4.1.7, which contain a fix for this error. Until updating, it is recommended to disable IP filtering based on OAuthRequestFilter or implement external access control mechanisms (e.g., at the firewall or reverse proxy level).

Who is affected

Apache CXF in versions prior to 4.2.2 and 4.1.7, in configurations with OAuthRequestFilter enabled with IP address verification

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Cxf

    APP
    Apache
    < 4.1.74.2.0 – 4.2.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-49875CRITICAL9.8PL ✓ten sam produkt

Apache CXF: podatność XXE w EndpointReferenceUtils i W3CMultiSchemaFactory

CVE-2026-50627CRITICAL9.1PL ✓ten sam produkt

Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)

CVE-2026-44930CRITICAL9.8ten sam produkt

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow ...

CVE-2025-48913CRITICAL9.8PL ✓ten sam produkt

Apache CXF: RCE przez złośliwe URL w konfiguracji JMS

CVE-2024-29736CRITICAL9.1PL ✓ten sam produkt

SSRF w opisie usług WADL w Apache CXF