CVE-2026-50623

Vulnerability

The OAuth2 TokenIntrospectionService in Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) contains an authentication bypass vulnerability. Due to a missing throw keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed without authentication. This affects versions 4.2.0 before 4.2.2, and all versions before 4.1.7 [1]. The vulnerability is only exploitable if authentication on the service has not been enabled.

Exploitation

An unauthenticated network attacker can directly send requests to the /services/oauth2/introspect endpoint. No prior authentication or user interaction is required. The missing throw keyword causes the security check to fail silently, allowing the request to proceed.

Impact

Successful exploitation allows an attacker to perform token introspection without authorization. This could lead to disclosure of token validity and associated metadata, potentially aiding in further attacks. The impact is limited to scenarios where the administrator has forgotten to enable authentication on the service.

Mitigation

Users should upgrade to Apache CXF version 4.2.2 or 4.1.7, which include the fix for this issue [1]. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.