CVE-2026-50629

Source
https://cve.org/CVERecord?id=CVE-2026-50629
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50629.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50629
Published
2026-06-12T08:57:22.534Z
Modified
2026-07-15T01:48:50.568328017Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
Details

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Database specific
{
    "cwe_ids": [
        "CWE-93"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50629.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.2.0"
                },
                {
                    "fixed": "4.2.2"
                },
                {
                    "fixed": "4.1.7"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.7"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

cxf-2.*
cxf-2.1
cxf-2.1.2
cxf-2.2
cxf-2.2.1
cxf-2.2.2
cxf-2.3.0
cxf-2.4.0
cxf-2.5.0
cxf-2.5.1
cxf-2.6.0
cxf-2.6.1
cxf-2.7.0
cxf-2.7.1
cxf-2.7.2
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone2
cxf-3.1.0
cxf-3.1.1
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.2.0
cxf-3.2.1
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.4.0
cxf-3.4.1
cxf-3.5.0
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.2
cxf-4.0.3
cxf-4.0.4
cxf-4.1.0
cxf-4.1.1
cxf-4.1.2
cxf-4.1.3
cxf-4.1.4
cxf-4.1.5
cxf-4.1.6
cxf-4.2.0
cxf-4.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50629.json"