CVE Catalog

CVE-2026-50628

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.63%

46th percentile — higher than 46% of all known CVEs

Summary

A logic error in OAuthRequestFilter rejects legitimate requests from the bound IP address while blindly allowing requests from any other IP address. Enabling this security feature creates an inverse security check.

Risk Assessment

The organization may lose access to its own OAuth-protected resources while attackers from outside can gain unauthorized access.

Recommendation

Immediately upgrade to version 4.2.2 or 4.1.7, which contain the fix for this logic error.

Original NVD description (English source)

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS