CVE-2026-50628

Published: Jun 12, 2026Modified: Jun 12, 2026

Description

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://lists.apache.org/thread/vb3ho8lf228gh90m1fpnohf2008xrdxk

Source: security@apache.org

http://www.openwall.com/lists/oss-security/2026/06/11/5

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.