CVE-2026-50628 PUBLISHED

Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control

Assigner: apache
Reserved: 05.06.2026 Published: 12.06.2026 Updated: 12.06.2026

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this

security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache CXF
Versions	Default: unaffected affected from 4.2.0 to 4.2.2 (excl.) affected from 0 to 4.1.7 (excl.)

Credits

Guanping Zhang reported this vulnerability finder

References

https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk

Problem Types

CWE-20 Improper Input Validation CWE