CVE-2026-50631

Published: Jun 12, 2026Modified: Jun 12, 2026

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Affected (2)

Products: Apache: Cxf

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Before 4.1.7
Apache Cxf	From 4.2.0 to 4.2.2

Related CWEs

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

References (2)

https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/8

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.