CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-50631

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 4.3%

CVSS Severity

CVSS v3 Score 7.4

References

https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8
http://www.openwall.com/lists/oss-security/2026/06/11/8

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-50631

Products

Pricing

Contact Us