CVE-2026-50631

Vulnerability

A time-of-check/time-of-use (TOCTOU) race condition exists in AbstractOAuthDataProvider within the Apache CXF OAuth2 module (cxf-rt-rs-security-oauth2). When the recycleRefreshTokens property is set to false, the code path that validates and consumes a Refresh Token is not atomic. Concurrent requests using the same Refresh Token can both pass the validation check before either marks the token as used, allowing multiple Access Tokens to be issued for the same token. This affects versions 4.2.0 up to but not including 4.2.2, and all versions before 4.1.7 [1].

Exploitation

An attacker must possess a valid Refresh Token that is not being recycled (i.e., the server configuration has recycleRefreshTokens set to false). The attacker sends two or more concurrent token refresh requests containing that same Refresh Token. Due to the race condition, each request may independently pass the single-use check and receive a new Access Token. No special network position is required; the attacker can simply be an OAuth2 client that has obtained a leaked Refresh Token. No authentication beyond possession of the Refresh Token is needed, and multiple attackers or threads can exploit the race simultaneously [1].

Impact

Successful exploitation allows an attacker to obtain multiple valid Access Tokens from a single Refresh Token, violating the intended single-use semantics of the refresh token flow. This can lead to unauthorized access to protected resources, as the attacker can potentially refresh access for a longer duration or share tokens across multiple sessions. The severity is rated as low by the maintainers, but it undermines the OAuth2 security model of refresh token rotation [1].

Mitigation

The fix is included in Apache CXF versions 4.2.2 and 4.1.7, released on 2026-06-11 [1]. All users should upgrade to one of these versions or later. No workaround is provided in the available references. Users on unsupported or EOL versions must upgrade to a supported release to remediate the issue.