ГлавнаяУязвимости → CVE-2026-50631
7.4высокая

CVE-2026-50631

Описание

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Затрагиваемое ПО
Apache Cxf
CVSS
Балл7.4 — высокая
ВекторCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Источники
https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8http://www.openwall.com/lists/oss-security/2026/06/11/8