CVE-2026-50627
EUVD-2026-3639512.06.2026, 10:16
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.Enginsight
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| apache | cxf | 4.2.0 ≤ 𝑥 < 4.2.2 | CNA |
| apache | cxf | 𝑥 < 4.1.7 | CNA |
Vulnerability Media Exposure