PT-2026-48846 · Apache · Apache Cxf
Published
2026-06-12
·
Updated
2026-06-12
·
CVE-2026-50627
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Cxf