Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable but requires privilege to influence JMS configuration (PR:L) and a non-trivial coercion path (AC:H), yielding total code-execution impact across C/I/A.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 6 maven packages depend on org.apache.cxf:cxf-rt-transports-jms (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.2.0.
DescriptionCVE.org
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
AnalysisAI
Remote code execution in Apache CXF (versions before 3.6.11, 4.0.0-4.1.5, and 4.2.0) arises because the fix for CVE-2025-48913 was incomplete, leaving a second code path through which untrusted JMS configuration can be abused to execute code. The flaw only matters where untrusted users are permitted to supply or influence JMS transport configuration for CXF endpoints. This is a remediation-regression issue carrying no public exploit identified at time of analysis, a very low EPSS (0.10%), and SSVC exploitation status of 'none', but the technical impact is rated total.
Technical ContextAI
Apache CXF is a widely deployed open-source Java framework for building SOAP and REST web services, and it supports JMS as a transport binding. The root cause is classed as CWE-20 (Improper Input Validation): CXF does not fully validate or constrain JMS configuration parameters, so a configuration value an attacker controls (for example connection factory, JNDI, or destination settings) can be coerced into loading or invoking attacker-influenced code. This is the same class of weakness as the original CVE-2025-48913; the upstream patch for that issue closed one path but, per the Apache advisory, a second path in the code remained reachable, which CVE-2026-44417 now addresses. The single CPE provided (cpe:2.3:a:apache_software_foundation:apache_cxf:*) does not pin versions, so the EUVD version ranges are the authoritative source for affected builds.
RemediationAI
Vendor-released patch: upgrade to Apache CXF 4.2.1, 4.1.6, or 3.6.11 depending on your branch (4.2.x users go to 4.2.1, 4.0.x/4.1.x users go to 4.1.6, and 3.x users go to 3.6.11), as directed in the Apache advisory at https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o. Because this is an incomplete-fix follow-up to CVE-2025-48913, partially patched 3.6.x/4.1.x builds are insufficient and must reach the exact fixed versions above. If immediate upgrade is not possible, the most effective compensating control is to ensure untrusted users cannot supply or alter JMS transport configuration for CXF endpoints - remove JMS configuration capability from untrusted-facing interfaces, lock JMS connection/JNDI settings to a trusted server-side configuration, and restrict who can deploy or reconfigure services; the trade-off is reduced flexibility for legitimate operators who previously customized JMS settings. Also consult Red Hat's VEX/advisory (https://access.redhat.com/security/cve/CVE-2026-44417) if you consume CXF through a Red Hat product.
More in Apache Cxf
View allArbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users a
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31432
GHSA-2hvc-5c6v-f533