CVE-2026-50630

Source
https://cve.org/CVERecord?id=CVE-2026-50630
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50630.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50630
Published
2026-06-12T08:58:27.181Z
Modified
2026-07-08T08:13:44.047443011Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
Details

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "4.2.0"
                },
                {
                    "fixed": "4.2.2"
                },
                {
                    "fixed": "4.1.7"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50630.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-113"
    ]
}
References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.7"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.2"
        }
    ]
}

Affected versions

cxf-2.*
cxf-2.1
cxf-2.1.2
cxf-2.2
cxf-2.2.1
cxf-2.2.2
cxf-2.3.0
cxf-2.4.0
cxf-2.5.0
cxf-2.5.1
cxf-2.6.0
cxf-2.6.1
cxf-2.7.0
cxf-2.7.1
cxf-2.7.2
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone2
cxf-3.1.0
cxf-3.1.1
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.2.0
cxf-3.2.1
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.4.0
cxf-3.4.1
cxf-3.5.0
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.2
cxf-4.0.3
cxf-4.0.4
cxf-4.1.0
cxf-4.1.1
cxf-4.1.2
cxf-4.1.3
cxf-4.1.4
cxf-4.1.5
cxf-4.1.6
cxf-4.2.0
cxf-4.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50630.json"