7.4

CVE-2026-50631

Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCxf Version < 4.1.7
ApacheCxf Version >= 4.2.0 < 4.2.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.209
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/06/11/8
Third Party Advisory
Mailing List