CVE-2026-50631 | THREATINT

Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-12 | Updated 2026-06-12 | Assigner apache

Problem types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status

unaffected

4.2.0 (semver) before 4.2.2

affected

Any version before 4.1.7

affected

Credits

Guanping Zhang reported this vulnerability. finder

References

www.openwall.com/lists/oss-security/2026/06/11/8

lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8 vendor-advisory

cve.org (CVE-2026-50631)

nvd.nist.gov (CVE-2026-50631)

Download JSON