CVE-2026-50634

Vulnerability

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter (in cxf-rt-rs-security-jose-jaxrs) can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. Affected versions are Apache CXF 4.2.0 before 4.2.1 (fixed in 4.2.2) and versions before 4.1.7. The flaw lies in how the filter determines which JSON Web Signature (JWS) entry in a JSON serialization is used to validate protected HTTP header metadata and Content-Type values; it trusts the first signature entry without verifying that the accepted signature corresponds to that entry [1].

Exploitation

An attacker must be able to send a crafted JWS JSON object to a service using the vulnerable filter. The attacker includes multiple signature entries, one of which carries valid signature metadata (e.g., accepted Content-Type or protected headers) while a separate, unvalidated first entry contains different metadata. The filter incorrectly processes metadata from the unvalidated first entry, bypassing the application's assumption that header metadata came from a verified signature. No authentication or special privileges are required beyond network access to the endpoint [1].

Impact

Successful exploitation allows the attacker to influence downstream JAX-RS entity parsing or signed-header consistency checks by injecting arbitrary Content-Type or protected HTTP header metadata. This can lead to misparsing of request bodies, bypass of security constraints relying on header verification, or other unintended behavior, potentially leading to further application-level compromise [1].

Mitigation

Users should upgrade to Apache CXF versions 4.2.2 or 4.1.7, which fix the issue. No workaround is documented; upgrading the affected Maven artifact org.apache.cxf:cxf-rt-rs-security-jose-jaxrs is the recommended action [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.