CVE-2026-50631— Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

AI Predicted 8.1 Difficulty: Hard EPSS 0.34% · P26 Updated Jun 13, 2026

Possible ATT&CK Techniques 2AI

T1133 · External Remote Services T1078 · Valid Accounts

Affected Version Matrix 2

Vendor	Product	Version Range	Status
Apache Software Foundation	Apache CXF	`4.2.0< 4.2.2`	affected
		`< 4.1.7`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50631

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

Source: NVD (National Vulnerability Database)

Vulnerability Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

检查时间与使用时间(TOCTOU)的竞争条件

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache CXF 竞争条件问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache cxf是美国Apache基金会开源的一个Web服务开发框架。 Apache CXF 4.1.7之前版本和4.2.0版本至4.2.2之前版本存在竞争条件问题漏洞，该漏洞源于AbstractOAuthDataProvider存在竞争条件问题，当'recycleRefreshTokens'设置为false时，可能导致多个并发请求使用同一个Refresh Token绕过单次使用语义生成多个有效的Access Token，泄露的refresh token可被多个攻击者或线程同时重放。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache CXF	4.2.0 ~ 4.2.2	-

II. Public POCs for CVE-2026-50631

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-50631

请登录查看更多情报信息。

Mailing List Discussions for CVE-2026-50631 (1)

🔗 CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing-Apache Mail Archivesvendor-advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-50631

Same Patch Batch · Apache Software Foundation · 2026-06-12 · 11 CVEs total

CVE-2026-50645		Apache CXF: No restriction on attachment headers per message
CVE-2026-50634		Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature ent
CVE-2026-50633		Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
CVE-2026-50632		Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
CVE-2026-50630		Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
CVE-2026-50629		Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
CVE-2026-50628		Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
CVE-2026-50627		Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
CVE-2026-49875		Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointRefer
CVE-2026-50623		Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

IV. Related Vulnerabilities

Same product: Apache CXF

Same vendor: Apache Software Foundation

Same weakness: CWE-367

V. Comments for CVE-2026-50631

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-50631— Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing

Possible ATT&CK Techniques 2AI

Affected Version Matrix 2

I. Basic Information for CVE-2026-50631

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-50631

III. Intelligence Information for CVE-2026-50631

Mailing List Discussions for CVE-2026-50631 (1)

Same Patch Batch · Apache Software Foundation · 2026-06-12 · 11 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-50631

Leave a comment