PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50631 Apache Software Foundation CVE debrief

CVE-2026-50631 is a HIGH severity vulnerability in Apache CXF's AbstractOAuthDataProvider. A race condition allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens when 'recycleRefreshTokens' is set to false. This can be exploited if a refresh token is leaked and replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7 to fix this issue.

Vendor
Apache Software Foundation
Product
Apache CXF
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Users of Apache CXF, particularly those using versions prior to 4.1.7 or 4.2.2, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the AbstractOAuthDataProvider of Apache CXF. When 'recycleRefreshTokens' is set to false, a race condition can occur, allowing multiple valid Access Tokens to be generated from a single Refresh Token if concurrent requests are made. This can lead to unauthorized access if an attacker obtains a refresh token.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Apache CXF version 4.2.2 or 4.1.7.
  • Review and adjust the 'recycleRefreshTokens' setting.
  • Monitor for and restrict concurrent requests using the same Refresh Token.

Evidence notes

The CVE-2026-50631 record and NVD detail provide comprehensive information about this vulnerability.

Official resources

CVE-2026-50631 was published on 2026-06-12T10:16:23.070Z and modified on 2026-06-12T19:03:45.180Z.