CVE-2026-50627

Published Jun 12, 2026

Last updated 2 days ago

Overview

Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Source
security@apache.org
NVD status
Undergoing Analysis

Weaknesses

security@apache.org
CWE-289

Social media

Hype score
Not currently trending

  1. 🚨*CVE* CVE-2026-50627 The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource… https://t.co/RhK0LqOshX ----- Traducción: CVE-2026-50627 La … https://t.co/utmtNg

    @infoflowcloud

    12 Jun 2026

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.