PatchSiren cyber security CVE debrief
CVE-2026-50629 Apache Software Foundation CVE debrief
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF versions prior to 4.2.2 or 4.1.7 should upgrade to a patched version to prevent log injection attacks.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as CWE-93. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Apache CXF version 4.2.2 or 4.1.7 to fix the issue.
Evidence notes
The vulnerability was published on June 12, 2026, and modified on the same day.
Official resources
-
CVE-2026-50629 CVE record
CVE.org
-
CVE-2026-50629 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-50629 was published on 2026-06-12T10:16:22.830Z and modified on 2026-06-12T19:04:34.927Z.