PatchSiren cyber security CVE debrief
CVE-2026-50627 Apache Software Foundation CVE debrief
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Technical summary
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.
Defensive priority
high
Recommended defensive actions
- Upgrade to Apache CXF versions 4.2.2 or 4.1.7.
Evidence notes
CVE-2026-50627 was published on [cvePublishedAt] and modified on [cveModifiedAt].
Official resources
-
CVE-2026-50627 CVE record
CVE.org
-
CVE-2026-50627 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
CVE-2026-50627 was published on 2026-06-12T10:16:22.587Z and modified on 2026-06-12T13:08:47.310Z.