PatchSiren cyber security CVE debrief
CVE-2026-50630 Apache Software Foundation CVE debrief
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class of Apache CXF. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF versions prior to 4.2.2 or 4.1.7 should upgrade to a fixed version to prevent potential CRLF injection attacks.
Technical summary
The vulnerability exists in the OAuth2 AuthorizationUtils class of Apache CXF. The 'realm' parameter in the WWW-Authenticate response header is not sanitized for CR and LF characters, allowing for potential injection of arbitrary HTTP headers or splitting of the HTTP response.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Apache CXF version 4.2.2 or 4.1.7 to fix the CRLF injection vulnerability.
Evidence notes
The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity.
Official resources
-
CVE-2026-50630 CVE record
CVE.org
-
CVE-2026-50630 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-50630 was published on 2026-06-12T10:16:22.950Z and modified on 2026-06-12T19:04:00.513Z.