A vulnerability classified as critical was found in Apache CXF up to 4.1.6/4.2.1 . Affected is an unknown function of the component OAuth2 . Executing a manipulation can lead to http response splitting. This vulnerability appears as CVE-2026-50630 . The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.