CVE-2026-50629

Vulnerability

Apache CXF versions for the cxf-rt-rs-security-oauth2 module before 4.1.7, and from 4.2.0 before 4.2.2, directly concatenate the clientId parameter from incoming HTTP requests into OAuth2 server log warning messages without sanitizing control characters [1]. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files [1].

Exploitation

An attacker must be able to send an HTTP request to an affected Apache CXF OAuth2 endpoint. The attacker includes malicious control characters (e.g., newline characters) within the clientId parameter value. The server logs a warning message that contains the unsanitized clientId, thereby injecting attacker-controlled content into the log output [1]. No authentication or special privileges are required beyond network access to the OAuth2 endpoint.

Impact

Successful exploitation allows an attacker to inject arbitrary log entries into the server's log files. This can be used to mislead security monitoring tools, conceal malicious activity, or cause log analysis systems to misinterpret events. The impact is limited to log injection; no data confidentiality or integrity beyond log file manipulation is directly compromised.

Mitigation

Users should upgrade to Apache CXF version 4.1.7 or 4.2.2, released on June 11, 2026, which fixes the issue [1]. No workarounds are described in the reference. The CVE severity is rated low [1].