Skip to main content

Apache CXF CVE-2026-50632

| EUVD-2026-36400 HIGH
Improper Input Validation (CWE-20)
2026-06-11 GHSA-93g8-qqv3-mrx8
Apache RCE Cxf
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 MEDIUM

Network-reachable but requires an authenticated low-privileged user able to submit JMS configuration (PR:L) and a non-default exposed config surface (AC:H); successful exploitation yields full RCE.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 12, 2026 - 16:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 16:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
Jun 12, 2026 - 16:22 NVD
9.8 (CRITICAL) 8.1 (HIGH)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 18:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app exposing JMS config
Delivery
Submit malicious JMS configuration values
Exploit
CXF parses untrusted JMS settings
Execution
JMS transport contacts attacker endpoint
Persist
Remote class loading or deserialization triggers
Impact
Execute code as CXF service user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the deploying application exposes Apache CXF's JMS transport configuration to untrusted users - for example, a multi-tenant integration product, an admin UI, or an API that accepts JMS connection factory, JNDI provider URL, or destination resolver values from non-administrators and feeds them into CXF. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N with C/I/A all High yields 8.1, reflecting network reach and total impact but flagged High attack complexity because exploitation depends on the application exposing JMS configuration to untrusted users - a non-default deployment choice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an application function that forwards user-supplied JMS configuration into Apache CXF (for example, a tenant-administration page on an integration platform) submits a crafted JMS configuration referencing an attacker-controlled JNDI or broker endpoint. When CXF processes that configuration, the malicious endpoint coerces the CXF JVM into loading and executing attacker-controlled code, giving the attacker code execution with the privileges of the CXF service. …
Remediation Vendor-released patch: upgrade to Apache CXF 4.2.2 (for the 4.2.x branch) or 4.1.7 (for older supported branches), as documented in the Apache announcement at https://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-50632. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all systems running Apache CXF 4.2.0, 4.2.1, or versions prior to 4.1.7; assess which systems permit untrusted users to configure JMS transport. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN
CVE-2026-50630 MEDIUM
6.5 Jun 11

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authent

Share

CVE-2026-50632 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy