PatchSiren cyber security CVE debrief
CVE-2026-50634 Apache Software Foundation CVE debrief
A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted 'Content-Type' or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF, particularly those using versions prior to 4.2.2 or 4.1.7, should be aware of this vulnerability and take steps to upgrade.
Technical summary
The vulnerability, CVE-2026-50634, has a CVSS score of 6.5 and is classified as MEDIUM severity. It affects Apache CXF and can be exploited to bypass authentication. The vulnerability is due to a flaw in the JwsJsonContainerRequestFilter, which can cause CXF to process unauthenticated metadata.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Apache CXF version 4.2.2 or 4.1.7, which fixes this issue.
Evidence notes
The CVE-2026-50634 vulnerability was published on 2026-06-12T10:16:23.413Z and modified on 2026-06-12T18:49:58.963Z. The vulnerability affects Apache CXF and has a CVSS score of 6.5.
Official resources
-
CVE-2026-50634 CVE record
CVE.org
-
CVE-2026-50634 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Mailing List
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-50634 was published on 2026-06-12T10:16:23.413Z and modified on 2026-06-12T18:49:58.963Z.