CVE-2019-12419

CVE-2019-12419 is a critical-severity vulnerability in Apache Cxf with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 14% places it in the 96th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-863.

Key facts

Description

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Frequently asked questions

What is CVE-2019-12419?
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
How severe is CVE-2019-12419?
CVE-2019-12419 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-12419 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 14% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2019-12419?
CVE-2019-12419 primarily affects Apache Cxf. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-12419?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2019-12419 published?
CVE-2019-12419 was published on 2019-11-06 and last updated on 2026-06-17.

References

Affected products (6)

More vulnerabilities in Apache Cxf

All CVEs affecting Apache Cxf →

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →