CVE Catalog

CVE-2026-50627

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be replayed against a different Resource Server, leading to Token Confusion/Routing attacks.

Risk Assessment

The organization is at risk of unauthorized access to resources, as an attacker can reuse a JWT token from one server to access another server, potentially leading to data leakage or privilege escalation.

Recommendation

Upgrade Apache CXF to version 4.2.2 or 4.1.7 immediately, which contain the fix for this vulnerability.

Original NVD description (English source)

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS