Skip to main content

Apache CXF CVE-2026-50645

| EUVD-2026-36403 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-11 GHSA-ghvc-7hp8-2g2v
Apache Denial Of Service Cxf
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
Vendor (CNA) PRIMARY
LOW
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated message to a default CXF endpoint with no user interaction; pure availability impact via resource exhaustion, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 12, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 15:22 NVD
CRITICAL HIGH
CVSS changed
Jun 12, 2026 - 15:22 NVD
7.5 (CRITICAL) 7.5 (HIGH)
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 11, 2026 - 20:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical Resource Exhaustion DoS in Apache CXF - CVE-2026-50645 Jun 12, 2026

AnalysisAI

Denial of service in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 allows remote unauthenticated attackers to exhaust server resources by sending messages containing an unbounded number of attachment headers during deserialization. The flaw stems from missing input limits in the message deserialization path and can be triggered without authentication or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed CXF endpoint
Delivery
Craft message with massive attachment header count
Exploit
Send to deserialization endpoint
Execution
Exhaust JVM memory and CPU
Impact
Service unavailable to legitimate users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must expose an Apache CXF service endpoint (SOAP/JAX-WS or JAX-RS) that accepts multipart messages with attachments - typically any CXF deployment using MTOM or multipart/related content types in its default configuration on a vulnerable 4.2.0-4.2.1 or pre-4.1.7 build. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent but point to a moderate operational risk rather than an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker sends a single crafted SOAP or MTOM message to a public Apache CXF endpoint containing an extremely large number of attachment headers; during deserialization the server allocates resources proportional to the header count, causing memory exhaustion or CPU saturation. Repeating the request from a small number of sources is sufficient to take the service offline. …
Remediation Vendor-released patch: upgrade to Apache CXF 4.2.2 (for the 4.2.x branch) or 4.1.7 (for the 4.1.x branch), both of which enforce a default maximum of 500 attachments per message; see the Apache CXF advisory at https://cxf.apache.org/ and the announcement at https://lists.apache.org/thread/24zb7cqcvykhwm0j797dmdq25s61mj93. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running affected Apache CXF versions (prior to 4.1.7 or 4.2.0-4.2.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50628 CRITICAL
9.8 Jun 11

Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inver
CVE-2026-49875 CRITICAL
9.8 Jun 11

XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to tr
CVE-2026-50627 CRITICAL
9.1 Jun 11

Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource S
CVE-2026-50632 HIGH
8.1 Jun 11

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untruste
CVE-2026-50633 HIGH
8.1 Jun 11

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JN

Share

CVE-2026-50645 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy