9.8
CVE-2026-50628
- EPSS 0.63%
- Veröffentlicht 12.06.2026 08:56:28
- Zuletzt bearbeitet 02.07.2026 12:17:32
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.63% | 0.456 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-358 Improperly Implemented Security Check for Standard
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk
http://www.openwall.com/lists/oss-security/2026/06/11/5
https://access.redhat.com/security/cve/CVE-2026-50628
https://bugzilla.redhat.com/show_bug.cgi?id=2488302
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50628.json