{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-50628","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-06-05T10:46:30.931Z","datePublished":"2026-06-12T08:56:28.526Z","dateUpdated":"2026-07-02T12:05:00.780Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.cxf:cxf-rt-rs-security-oauth2","product":"Apache CXF","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.2.2","status":"affected","version":"4.2.0","versionType":"semver"},{"lessThan":"4.1.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Guanping Zhang reported this vulnerability"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this<br>\nsecurity feature inadvertently creates an inverse security check.&nbsp;Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.<br>"}],"value":"A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this\n\nsecurity feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-06-12T08:56:28.526Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk"}],"source":{"discovery":"UNKNOWN"},"title":"Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/11/5"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-06-12T09:28:03.551Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-06-15T18:32:19.829621Z","id":"CVE-2026-50628","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-15T19:28:29.840Z"}},{"affected":[{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_web_server:5"],"defaultStatus":"affected","product":"Red Hat JBoss Web Server 5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"datePublic":"2026-06-12T08:56:28.526Z","descriptions":[{"lang":"en","value":"A flaw was found in the OAuthRequestFilter component of cxf. A logic error in this filter inadvertently creates an inverse security check when enabled. This issue causes legitimate requests from a bound IP address to be rejected, while requests from any other IP address are blindly allowed. This could lead to unauthorized access to resources."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-50628"},{"name":"RHBZ#2488302","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2488302"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50628.json"}],"timeline":[{"lang":"en","time":"2026-06-12T10:01:04.467Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-12T08:56:28.526Z","value":"Made public."}],"title":"cxf: org.apache.cxf/cxf-rt-rs-security-oauth2: cxf: Unauthorized access due to logic error in OAuthRequestFilter","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-02T12:05:00.780Z"}}]}}