CVE-2026-50628
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk46th percentile — higher than 46% of all known CVEs
Summary
A logic error in OAuthRequestFilter rejects legitimate requests from the bound IP address while blindly allowing requests from any other IP address. Enabling this security feature creates an inverse security check.
Risk Assessment
The organization may lose access to its own OAuth-protected resources while attackers from outside can gain unauthorized access.
Recommendation
Immediately upgrade to version 4.2.2 or 4.1.7, which contain the fix for this logic error.
Original NVD description (English source)
A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

