CVE-2026-50627
Critical · CVSS 9.1Apache CXF — JWT Audience Claim Validation Bypass (Token Confusion/Routing Attack)
- CVSS
- 9.1
- nvd
- EPSS
- —
- KEV
- No
- Class
- other
- CWE-289
Description
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Search profile — drives PoC discovery
Symbols JwtAccessTokenValidatoraudaudienceJWTvalidateAudienceJwtUtilsJwtClaimsOAuthServerUtilsAccessTokenValidator
Keywords CVE-2026-50627Apache CXFJwtAccessTokenValidatorJWT audience validation bypasstoken confusionrouting attackCWE-289aud claimJWT replayresource server
Versions: < 4.1.7, < 4.2.2
References
Status: enriched · ingested 2026-06-16T00:00:58.000Z · profiled 2026-06-16T18:20:23.035Z