PatchSiren cyber security CVE debrief
CVE-2026-50628 Apache Software Foundation CVE debrief
CVE-2026-50628 is a vulnerability caused by a logic error in OAuthRequestFilter. This error leads to the filter rejecting legitimate requests that originate from the bound IP address, while it blindly allows requests from any other IP address. As a result, enabling this security feature inadvertently creates an inverse security check, potentially exposing systems to unauthorized access.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of affected versions are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Technical summary
The vulnerability is caused by a logic error in OAuthRequestFilter, which is part of an unspecified product from an unknown vendor. The error results in an inverse security check when the feature is enabled.
Defensive priority
high
Recommended defensive actions
- Upgrade to versions 4.2.2 or 4.1.7
Evidence notes
The CVE record was published on [cve-org] and additional details can be found on [nvd].
Official resources
-
CVE-2026-50628 CVE record
CVE.org
-
CVE-2026-50628 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
CVE-2026-50628 was published on 2026-06-12T10:16:22.710Z and modified on 2026-06-12T13:08:47.310Z.