CVE-2026-50628
Description
Logic error in Apache CXF OAuthRequestFilter inverts IP binding check, allowing all except the bound IP; fixed in 4.2.2/4.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Logic error in Apache CXF OAuthRequestFilter inverts IP binding check, allowing all except the bound IP; fixed in 4.2.2/4.1.7.
Vulnerability
A logic error in Apache CXF's OAuthRequestFilter (in the cxf-rt-rs-security-oauth2 module) causes the filter to reject legitimate requests originating from the configured bound IP address while blindly allowing requests from any other IP address. This effectively inverts the intended security check. Affected versions are Apache CXF 4.2.0 before 4.2.2, and versions before 4.1.7 [1].
Exploitation
An attacker can send a request from any IP address that is not the bound IP; the filter will accept it, bypassing the intended restriction. No authentication or special network position is required beyond being able to reach the vulnerable service.
Impact
Successful exploitation allows an attacker to access resources that should be restricted to the bound IP address, defeating the purpose of the IP-based security control. This leads to unauthorized access and potential information disclosure or further compromise.
Mitigation
Users should upgrade to Apache CXF version 4.2.2 or 4.1.7, which fix the logic error [1]. The fix was released as of the publication date (2026-06-12). No workaround is documented.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.