CVE-2026-50627
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be replayed against a different Resource Server, leading to Token Confusion/Routing attacks.
Risk Assessment
The organization is at risk of unauthorized access to resources, as an attacker can reuse a JWT token from one server to access another server, potentially leading to data leakage or privilege escalation.
Recommendation
Upgrade Apache CXF to version 4.2.2 or 4.1.7 immediately, which contain the fix for this vulnerability.
Original NVD description (English source)
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

