CVE Catalog

CVE-2026-50630

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

34th percentile — higher than 34% of all known CVEs

Summary

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. The 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters, allowing an attacker to inject arbitrary HTTP headers or split the HTTP response entirely.

Risk Assessment

Attackers can exploit this vulnerability to manipulate HTTP headers, potentially leading to serious security issues, including HTTP response splitting attacks.

Recommendation

Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Original NVD description (English source)

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS