CVE-2026-50634 Overview
CVE-2026-50634 affects Apache CXF's JwsJsonContainerRequestFilter, where attackers can cause the framework to process metadata that was not authenticated by the accepted JSON Web Signature (JWS). The flaw allows unauthenticated metadata such as Content-Type headers and protected HTTP headers to influence downstream JAX-RS entity parsing and signed-header consistency checks. Applications relying on the assumption that processed metadata originated from a verified signature entry can be misled. Apache has released versions 4.2.2 and 4.1.7 to address the issue, which is tracked under [CWE-347] Improper Verification of Cryptographic Signature.
Critical Impact
Attackers can bypass signature-verification assumptions in Apache CXF JWS JSON processing, influencing how JAX-RS endpoints parse request entities and validate signed headers.
Affected Products
- Apache CXF versions prior to 4.2.2 (4.2.x branch)
- Apache CXF versions prior to 4.1.7 (4.1.x branch)
- Applications using JwsJsonContainerRequestFilter for JAX-RS request signature verification
Discovery Timeline
- 2026-06-12 - CVE-2026-50634 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-50634
Vulnerability Analysis
Apache CXF is an open-source services framework that supports JAX-RS and JAX-WS, including JOSE-based message security. The JwsJsonContainerRequestFilter validates inbound requests carrying a JWS JSON Serialization payload, which can contain multiple signatures and per-signature protected headers. The filter is expected to expose only metadata that belongs to an accepted signature entry.
The defect causes CXF to consider metadata that was not bound to the verified signature. As a result, fields such as Content-Type or protected HTTP headers can be sourced from an unverified portion of the JWS JSON structure. Downstream code paths, including JAX-RS entity providers and any signed-header consistency checks, then operate on attacker-controlled metadata while assuming it was authenticated.
This weakness is categorized as Improper Verification of Cryptographic Signature [CWE-347]. The published EPSS probability is 0.301%.
Root Cause
The root cause lies in how the filter associates protected header metadata with the signature that was actually verified. Instead of strictly scoping accepted metadata to the verified signature entry within the JWS JSON Serialization object, the filter permits metadata from other entries to flow into the request context.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker submits a crafted JWS JSON request containing at least one valid signature entry alongside additional entries or protected headers carrying attacker-chosen metadata. The valid signature satisfies the filter, while the unverified metadata is propagated to JAX-RS parsing and header-consistency logic, enabling content-type confusion or bypass of signed-header checks.
No public proof-of-concept code is available. Technical details are described in the Apache Security Mailing List advisory and the Openwall OSS Security update.
Detection Methods for CVE-2026-50634
Indicators of Compromise
- Inbound JAX-RS requests containing JWS JSON Serialization payloads with multiple signature entries or unexpected protected headers.
- Requests where the declared Content-Type conflicts with the entity body actually processed by JAX-RS providers.
- Application logs showing signed-header consistency check failures or unexpected entity-provider selection on endpoints protected by JwsJsonContainerRequestFilter.
Detection Strategies
- Inventory all services using Apache CXF and identify deployments that register JwsJsonContainerRequestFilter on JAX-RS resources.
- Compare deployed CXF JAR versions against the fixed versions 4.2.2 and 4.1.7 using software composition analysis.
- Inspect access logs for repeated JWS JSON requests targeting signed endpoints from a single source, which may indicate probing.
Monitoring Recommendations
- Enable verbose logging on CXF JOSE filters to record which signature entry was accepted and which protected headers were applied.
- Alert on mismatches between protected JWS headers and HTTP-level headers on the same request.
- Track upgrade status of CXF dependencies in CI/CD pipelines to ensure vulnerable versions are not reintroduced.
How to Mitigate CVE-2026-50634
Immediate Actions Required
- Upgrade Apache CXF to version 4.2.2 or 4.1.7, depending on the branch in use.
- Audit JAX-RS endpoints that rely on JwsJsonContainerRequestFilter and confirm which protected headers they trust for downstream decisions.
- Validate that any signed-header consistency checks reference only metadata from the verified signature entry after upgrading.
Patch Information
Apache has released fixed versions 4.2.2 and 4.1.7. Both releases correct how JwsJsonContainerRequestFilter scopes accepted protected headers to the verified signature entry. Refer to the Apache Security Mailing List advisory for release details and the Openwall OSS Security update for distribution notes.
Workarounds
- If immediate upgrade is not possible, restrict access to JAX-RS endpoints using JwsJsonContainerRequestFilter to trusted network segments.
- Add application-layer checks that re-validate Content-Type and critical HTTP headers against the verified JWS protected header before processing the entity.
- Reject JWS JSON Serialization requests containing more than one signature entry where the application expects only a single signer.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

