CVE-2026-50630 | A CRLF injection vulnerability exists in the OAuth2 Authoriz… | CVSS 6.5 MEDIUM

Description

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Metadata

CVE ID: CVE-2026-50630
State: PUBLISHED
Assigner: apache
Reserved: 2026-06-05 10:57 UTC
Published: 2026-06-12 08:58 UTC
Last updated: 2026-06-12 14:03 UTC
Primary CWE: CWE-113
CWE-113 Improper Neutralization of CRLF Sequences in HTTP He…
Vendor / Product: Apache Software Foundation / Apache CXF
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache CXF	—	4.2.0 < 4.2.2, 0 < 4.1.7

Weakness (CWE)

CWE	Source	Description
CWE-113	cna	CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (1)

https://lists.apache.org/thread/bt7vnjzzkpd6vdhkxv103poor1jy5trm