{"api_version":"1","generated_at":"2026-06-12T20:04:01+00:00","cve":"CVE-2026-50629","urls":{"html":"https://cve.report/CVE-2026-50629","api":"https://cve.report/api/cve/CVE-2026-50629.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-50629","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-50629"},"summary":{"title":"Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier","description":"The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.","state":"PUBLISHED","assigner":"apache","published_at":"2026-06-12 10:16:22","updated_at":"2026-06-12 19:04:34"},"problem_types":["CWE-93","CWE-93 CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/11/6","name":"http://www.openwall.com/lists/oss-security/2026/06/11/6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00","name":"https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00","refsource":"security@apache.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-50629","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50629","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache CXF","version":"affected 4.2.0 4.2.2 semver","platforms":[]},{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache CXF","version":"affected 4.1.7 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Guanping Zhang reported this vulnerability.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"50629","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"cxf","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-06-12T09:28:05.582Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/06/11/6"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-50629","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-12T14:02:18.148673Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-12T14:47:44.227Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.cxf:cxf-rt-rs-security-oauth2","product":"Apache CXF","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.2.2","status":"affected","version":"4.2.0","versionType":"semver"},{"lessThan":"4.1.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Guanping Zhang reported this vulnerability."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.&nbsp;Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.<br>"}],"value":"The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue."}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-93","description":"CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-12T08:57:22.534Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00"}],"source":{"discovery":"UNKNOWN"},"title":"Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2026-50629","datePublished":"2026-06-12T08:57:22.534Z","dateReserved":"2026-06-05T10:55:14.302Z","dateUpdated":"2026-06-12T14:47:44.227Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-12 10:16:22","lastModifiedDate":"2026-06-12 19:04:34","problem_types":["CWE-93","CWE-93 CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.7","matchCriteriaId":"C0505632-D713-4EFC-B857-12EBD5C3DF33"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.2","matchCriteriaId":"B1BF06FC-96AD-4663-9959-1B1493D4A2A0"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"50629","Ordinal":"1","Title":"Apache CXF: OAuth2: Log Injection via Unsanitized Client Identif","CVE":"CVE-2026-50629","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"50629","Ordinal":"1","NoteData":"The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.","Type":"Description","Title":"Apache CXF: OAuth2: Log Injection via Unsanitized Client Identif"}]}}}