CVE-2026-50634: JWS signature bypass exposes

CISO Take

Apache CXF's JwsJsonContainerRequestFilter fails to verify that Content-Type and protected HTTP header metadata is actually covered by the accepted JSON Web Signature, allowing an attacker to inject unauthenticated metadata that downstream JAX-RS processing treats as trusted. For organizations exposing AI model inference endpoints or AI service APIs via Apache CXF, this flaw breaks the cryptographic trust chain gating request processing — the bypass can redirect entity parsing or circumvent signed-header consistency checks without triggering authentication failures. No EPSS score or public exploit is available yet and there is no CISA KEV listing, placing current exploitation likelihood at speculative but non-trivial given the well-understood nature of JWS manipulation (CWE-347). Upgrade to Apache CXF 4.2.2 or 4.1.7 immediately; if patching is delayed, add explicit server-side validation of Content-Type and all security-relevant headers independent of and before the JWS filter.

Sources: NVD ATLAS Apache CXF Advisory (lists.apache.org) OSS-Security Mailing List (openwall.com)

What is the risk?

Moderate risk. CWE-347 (Improper Verification of Cryptographic Signature) represents a fundamental trust assumption failure in the request authentication layer. No CVSS score is assigned yet, and there are no known public exploits or active exploitation reports. However, signature bypass vulnerabilities in authentication filters are historically reliably exploitable once the mechanics are understood — an attacker familiar with JWS can craft requests that pass the filter while carrying unauthenticated metadata. Risk is elevated for organizations where Apache CXF serves as the API gateway layer for AI inference services and where JWS-verified headers drive authorization decisions about which model operations are permitted.

How does the attack unfold?

Reconnaissance

Adversary identifies a target AI service API built on Apache CXF and confirms JwsJsonContainerRequestFilter is active on sensitive inference or data endpoints.

AML.T0006

Craft Malicious Request

Adversary constructs a JWS-signed HTTP request where the signature covers only the payload body while embedding an unauthenticated Content-Type or protected header value outside the signed components.

AML.T0049

Signature Bypass

CXF's JwsJsonContainerRequestFilter accepts the partial signature as valid and forwards the full request including unauthenticated metadata to JAX-RS downstream processing.

AML.T0107

Impact

Downstream JAX-RS entity parsing treats the injected Content-Type as trusted, enabling unauthorized access to protected AI model endpoints, alternative deserialization paths, or bypass of signed-header authorization gates.

AML.T0040

Reconnaissance

Adversary identifies a target AI service API built on Apache CXF and confirms JwsJsonContainerRequestFilter is active on sensitive inference or data endpoints.

AML.T0006

Craft Malicious Request

Adversary constructs a JWS-signed HTTP request where the signature covers only the payload body while embedding an unauthenticated Content-Type or protected header value outside the signed components.

AML.T0049

Signature Bypass

CXF's JwsJsonContainerRequestFilter accepts the partial signature as valid and forwards the full request including unauthenticated metadata to JAX-RS downstream processing.

AML.T0107

Impact

Downstream JAX-RS entity parsing treats the injected Content-Type as trusted, enabling unauthorized access to protected AI model endpoints, alternative deserialization paths, or bypass of signed-header authorization gates.

AML.T0040

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately: upgrade Apache CXF to 4.2.2 (4.x branch) or 4.1.7 (4.1.x branch) — both contain the fix per the vendor advisory.
If patching is delayed: add explicit server-side validation of Content-Type and all security-relevant HTTP headers at the application layer, independent of and before the JwsJsonContainerRequestFilter processes them.
Audit all JAX-RS endpoints protected by JwsJsonContainerRequestFilter to enumerate which headers are used in authorization decisions and whether those decisions can be influenced by unauthenticated metadata.
Consider WAF rules that flag anomalous or unexpected Content-Type values on JWS-protected endpoints as a compensating control.
Monitor application and container logs for unexpected Content-Type values, JAX-RS entity parsing errors, or signed-header consistency failures that could indicate exploitation attempts.

How is it classified?

Auth Bypass Data Extraction API Inference AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.2 - AI system security and resilience

NIST AI RMF

MANAGE 2.4 - Mechanisms are in place and applied, responsibilities are assigned, and documented for managing the identified and residual risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-50634?

Apache CXF's JwsJsonContainerRequestFilter fails to verify that Content-Type and protected HTTP header metadata is actually covered by the accepted JSON Web Signature, allowing an attacker to inject unauthenticated metadata that downstream JAX-RS processing treats as trusted. For organizations exposing AI model inference endpoints or AI service APIs via Apache CXF, this flaw breaks the cryptographic trust chain gating request processing — the bypass can redirect entity parsing or circumvent signed-header consistency checks without triggering authentication failures. No EPSS score or public exploit is available yet and there is no CISA KEV listing, placing current exploitation likelihood at speculative but non-trivial given the well-understood nature of JWS manipulation (CWE-347). Upgrade to Apache CXF 4.2.2 or 4.1.7 immediately; if patching is delayed, add explicit server-side validation of Content-Type and all security-relevant headers independent of and before the JWS filter.

Is CVE-2026-50634 actively exploited?

No confirmed active exploitation of CVE-2026-50634 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50634?

1. Patch immediately: upgrade Apache CXF to 4.2.2 (4.x branch) or 4.1.7 (4.1.x branch) — both contain the fix per the vendor advisory. 2. If patching is delayed: add explicit server-side validation of Content-Type and all security-relevant HTTP headers at the application layer, independent of and before the JwsJsonContainerRequestFilter processes them. 3. Audit all JAX-RS endpoints protected by JwsJsonContainerRequestFilter to enumerate which headers are used in authorization decisions and whether those decisions can be influenced by unauthenticated metadata. 4. Consider WAF rules that flag anomalous or unexpected Content-Type values on JWS-protected endpoints as a compensating control. 5. Monitor application and container logs for unexpected Content-Type values, JAX-RS entity parsing errors, or signed-header consistency failures that could indicate exploitation attempts.

What systems are affected by CVE-2026-50634?

This vulnerability affects the following AI/ML architecture patterns: AI model serving, AI API gateways, Enterprise AI service backends.

What is the CVSS score for CVE-2026-50634?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI model servingAI API gatewaysEnterprise AI service backends

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Exploitation Scenario

An adversary targeting an organization's AI model inference API built on Apache CXF constructs a crafted HTTP request to a JWS-protected endpoint. The request includes a valid JWS signature covering only the core payload body while injecting a malicious Content-Type value or custom authorization header outside the signed components. CXF's JwsJsonContainerRequestFilter accepts the partial signature as valid and passes the full request downstream — including the unauthenticated metadata — to the JAX-RS entity reader. The downstream parser interprets the injected Content-Type as trusted, potentially triggering an alternative deserialization path (e.g., XML vs. JSON), invoking a different endpoint handler, or circumventing a signed-header consistency check that gated access to privileged model operations. In an AI service context, this could allow the adversary to invoke restricted model inference endpoints, manipulate input routing to production models, or extract model outputs that would otherwise be blocked by the signed-header authorization logic.

Weaknesses (CWE)

CWE-347 Improper Verification of Cryptographic Signature Primary CWE-347 Improper Verification of Cryptographic Signature

CWE-347 — Improper Verification of Cryptographic Signature: The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Source: MITRE CWE corpus.