CVE-2026-50627
mediumEPSS Score
0.4%
Exploitation probability in 30 days
Top 66% most likely to be exploited
Vulnerability Report
Generated by CyberWatcher
Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CWE
CWE-289Affected Products
Apache Software Foundation Apache CXF