CVE-2026-50631: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Software Foundation Apache CXF
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
AI Analysis
Technical Summary
This vulnerability is a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) in Apache CXF's AbstractOAuthDataProvider. When 'recycleRefreshTokens' is set to false, concurrent requests using the same refresh token can bypass the single-use token semantics, allowing multiple valid access tokens to be issued from a single refresh token. This flaw enables attackers or threads to replay a leaked refresh token concurrently to generate multiple access tokens. The issue is resolved in Apache CXF versions 4.2.2 and 4.1.7.
Potential Impact
An attacker with access to a leaked refresh token can exploit this race condition to generate multiple valid access tokens concurrently, bypassing the intended single-use restriction on refresh tokens. This could lead to unauthorized access to protected resources by allowing multiple valid sessions or tokens from a single refresh token.
Mitigation Recommendations
Users should upgrade Apache CXF to version 4.2.2 or 4.1.7 or later, where this race condition vulnerability is fixed. No other mitigations are indicated. Patch status is confirmed by the vendor advisory recommending these versions.
CVE-2026-50631: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Software Foundation Apache CXF
Description
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Affected software
pkg:maven/Apache Software Foundation/org.apache.cxf:cxf-rt-rs-security-oauth2Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability is a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) in Apache CXF's AbstractOAuthDataProvider. When 'recycleRefreshTokens' is set to false, concurrent requests using the same refresh token can bypass the single-use token semantics, allowing multiple valid access tokens to be issued from a single refresh token. This flaw enables attackers or threads to replay a leaked refresh token concurrently to generate multiple access tokens. The issue is resolved in Apache CXF versions 4.2.2 and 4.1.7.
Potential Impact
An attacker with access to a leaked refresh token can exploit this race condition to generate multiple valid access tokens concurrently, bypassing the intended single-use restriction on refresh tokens. This could lead to unauthorized access to protected resources by allowing multiple valid sessions or tokens from a single refresh token.
Mitigation Recommendations
Users should upgrade Apache CXF to version 4.2.2 or 4.1.7 or later, where this race condition vulnerability is fixed. No other mitigations are indicated. Patch status is confirmed by the vendor advisory recommending these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-06-05T11:02:05.432Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bd75fe617e2d83448bffa
Added to database: 6/12/2026, 9:54:39 AM
Last enriched: 6/12/2026, 10:10:04 AM
Last updated: 6/12/2026, 12:20:06 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.