CVE-2026-50627

Vulnerability

The JwtAccessTokenValidator class in Apache CXF's OAuth2 module (cxf-rt-rs-security-oauth2) fails to validate the aud (Audience) and iss (Issuer) claims of incoming JWT access tokens. This vulnerability affects versions 4.2.0 before 4.2.2, and all versions before 4.1.7. The missing validation means that a JWT issued for one Resource Server can be accepted by a completely different Resource Server [1].

Exploitation

An attacker who possesses a valid JWT access token issued for any Resource Server (either obtained legitimately or through interception) can replay that token against a different Resource Server. The attacker needs only network access to the target Resource Server; no special authentication or user interaction is required because the validator does not check the token's intended audience [1].

Impact

Successful exploitation results in a Token Confusion/Routing attack. The attacker gains unauthorized access to resources and operations on the targeted Resource Server, potentially leading to information disclosure, data modification, or privilege escalation at the level of the original token's permissions [1].

Mitigation

Users should upgrade to Apache CXF versions 4.2.2 or 4.1.7, which include proper validation of aud and iss claims. No workarounds are described in the available references. The fixed versions were released on 2026-06-11 [1].