CVE-2026-50630
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. The 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters, allowing an attacker to inject arbitrary HTTP headers or split the HTTP response entirely.
Risk Assessment
Attackers can exploit this vulnerability to manipulate HTTP headers, potentially leading to serious security issues, including HTTP response splitting attacks.
Recommendation
Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Original NVD description (English source)
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

