Skip to main content

Apache CXF CVE-2026-50633

| EUVD-2026-36401 HIGH
Improper Input Validation (CWE-20)
2026-06-11 GHSA-qp3f-rvj8-46c8
Apache RCE Cxf Red Hat
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Requires attacker control of ra.xml or activation parameters (admin-level artifacts), so PR:H and AC:H; RCE in the app-server JVM crosses the resource-adapter trust boundary, justifying S:C with full CIA impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 12, 2026 - 16:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
Jun 12, 2026 - 16:22 NVD
9.8 (CRITICAL) 8.1 (HIGH)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 20:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical JNDI Injection RCE in Apache CXF JCA Module - CVE-2026-50633 Jun 12, 2026

AnalysisAI

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify CXF JCA deployment
Delivery
Gain write access to ra.xml or activation params
Exploit
Inject malicious JNDI URL (LDAP/RMI)
Install
Trigger resource adapter activation
C2
JVM fetches remote object reference
Execute
Attacker class instantiated in server JVM
Impact
Code execution as app server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to actually use Apache CXF's JCA integration module (the resource adapter packaging) and requires the attacker to influence the JCA deployment descriptor ra.xml or runtime activation parameters supplied when the resource adapter is activated - i.e., write access to the deployed RAR/ra.xml or control over activation-spec properties passed by an administrator or orchestration layer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point sharply in different directions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains write access to the application server's deployment area (via a separate vulnerability, weak admin console credentials, or a compromised CI/CD pipeline) modifies ra.xml or supplies activation parameters that point a JNDI lookup at an attacker-controlled LDAP/RMI server. When the JCA resource adapter is activated, the server resolves the malicious JNDI name, fetches a remote object reference, and instantiates attacker-supplied code in the JVM, yielding RCE as the application server process. …
Remediation Vendor-released patch: upgrade Apache CXF to 4.2.2 (for the 4.2.x branch) or 4.1.7 (for the 4.1.x branch) as published in the Apache advisory (https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf and https://seclists.org/oss-sec/2026/q2/893). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache CXF 4.2.0-4.2.1 or 4.1.0-4.1.6, assess exposure, and create patch deployment plan. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50630 MEDIUM
6.5 Jun 11

HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authent

Vendor StatusVendor

Share

CVE-2026-50633 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy