GHSA-542g-m3fx-q86fMediumCVSS 6.5

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache...

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue.

🔗 References (4)