CVE-2026-50631

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

12/06/2026

Last modified:

12/06/2026

Description

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when &#39;recycleRefreshTokens&#39; is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Impact

References to Advisories, Solutions, and Tools

https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8
http://www.openwall.com/lists/oss-security/2026/06/11/8