VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-50630

CVE-2026-50630

Description

CRLF injection in Apache CXF OAuth2 AuthorizationUtils allows HTTP response splitting via unsanitized realm parameter; fixed in 4.2.2/4.1.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CRLF injection in Apache CXF OAuth2 AuthorizationUtils allows HTTP response splitting via unsanitized realm parameter; fixed in 4.2.2/4.1.7.

Vulnerability

A CRLF injection vulnerability exists in the AuthorizationUtils class of Apache CXF's OAuth2 module (cxf-rt-rs-security-oauth2). When constructing the WWW-Authenticate response header, the realm parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. Affected versions are 4.2.0 before 4.2.2 and all versions before 4.1.7 [1].

Exploitation

An attacker must be able to control the realm value passed to the OAuth2 authorization endpoint. By injecting CRLF sequences (e.g., %0d%0a) into the realm, the attacker can insert arbitrary HTTP headers or split the HTTP response body, leading to HTTP response splitting [1].

Impact

Successful exploitation allows an attacker to perform HTTP response splitting, which can be leveraged for cache poisoning, cross-site scripting (XSS), or session fixation attacks. The attacker can inject arbitrary headers or content into the HTTP response, potentially affecting downstream clients or proxies [1].

Mitigation

Users should upgrade to Apache CXF 4.2.2 or 4.1.7, which sanitize CR and LF characters in the realm parameter. No workarounds are documented; the fix is included in these releases [1].

References
  1. security - CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Apache/Oltuinferred
    Range: <=4.1.6,<4.1.7||<=4.2.1,<4.2.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.