Skip to main content

Apache Neethi CVE-2026-42403

| EUVD-2026-26486 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-01 apache GHSA-2hfh-9h53-qc24
Denial Of Service Apache Red Hat
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 18:08 nvd
Patch available
Patch available
May 01, 2026 - 10:01 EUVD
Analysis Generated
May 01, 2026 - 09:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 09:15 euvd
EUVD-2026-26486
Analysis Generated
May 01, 2026 - 09:15 vuln.today
CVE Published
May 01, 2026 - 08:38 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 270 maven packages depend on org.apache.neethi:neethi (9 direct, 261 indirect)

Ecosystem-wide dependent count for version 3.2.2.

DescriptionNVD

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

AnalysisAI

Denial of Service in Apache Neethi WS-Policy processor allows remote unauthenticated attackers to crash applications or cause resource exhaustion by sending crafted policy documents with circular references. The vulnerability (CVSS 7.5) triggers infinite loops or stack overflow during policy normalization when Policy A references Policy B which references Policy A. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all applications and services using Apache Neethi and document current deployed versions. Within 7 days: Upgrade Apache Neethi to version 3.2.2 or later across all affected systems; coordinate with application teams to validate compatibility before production deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Share

CVE-2026-42403 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy