Skip to main content

Apache Neethi EUVDEUVD-2026-26491

| CVE-2026-42404 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-01 apache
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
May 01, 2026 - 18:06 nvd
Patch available
Patch available
May 01, 2026 - 12:01 EUVD
Analysis Generated
May 01, 2026 - 10:45 vuln.today
EUVD ID Assigned
May 01, 2026 - 10:30 euvd
EUVD-2026-26491
Analysis Generated
May 01, 2026 - 10:30 vuln.today
CVE Published
May 01, 2026 - 09:46 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 337 maven packages depend on org.apache.neethi:neethi (13 direct, 324 indirect)

Ecosystem-wide dependent count for version 3.2.2.

DescriptionCVE.org

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

AnalysisAI

Server-Side Request Forgery (SSRF) in Apache Neethi allows remote attackers to make arbitrary outbound requests to internal IP addresses and non-HTTP/HTTPS protocols when an application explicitly calls the PolicyReference API to retrieve remote policies. The vulnerability affects all versions before 3.2.2, which restricts URI schemes to HTTP/HTTPS and blocks link-local, multicast, and any-local addresses. No active exploitation has been confirmed at this time.

Technical ContextAI

Apache Neethi is a Java library that processes WS-Policy specifications in Web Services. The PolicyReference API provides functionality to dynamically fetch policy documents from remote URIs. The vulnerability stems from insufficient validation of URI schemes and destination addresses before making outbound HTTP requests. CWE-918 (Server-Side Request Forgery) describes the root cause: the application fails to validate that user-supplied URLs reference only intended external hosts, allowing attackers to craft malicious URIs that cause the library to make requests to internal resources (RFC 1918 addresses, link-local addresses 169.254.0.0/16, multicast 224.0.0.0/4, loopback 127.0.0.0/8, or ::1/128) or invoke protocols other than HTTP/HTTPS. This occurs because the PolicyReference fetch operation does not restrict the destination of outbound connections.

RemediationAI

Upgrade Apache Neethi to version 3.2.2 or later, which restricts PolicyReference URI schemes to HTTP and HTTPS only and blocks requests to link-local (169.254.0.0/16), multicast (224.0.0.0/4), and any-local (127.0.0.0/8, ::1/128) address ranges. If immediate upgrade is not feasible, implement compensating controls: restrict outbound network access from the application to only intended external policy servers using firewall rules or network policies (e.g., deny egress to RFC 1918 ranges, 169.254.0.0/16, 224.0.0.0/4, and loopback addresses). Additionally, audit application code to identify all uses of the PolicyReference API and verify that policy URIs are not derived from untrusted user input; if possible, pre-validate and whitelist allowed policy URIs. Avoid using PolicyReference with user-controlled URIs until the patch is deployed. See Apache advisory at https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq for details.

Vendor StatusVendor

Share

EUVD-2026-26491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy