Skip to main content

Apache CXF EUVDEUVD-2026-31432

| CVE-2026-44417 HIGH
Improper Input Validation (CWE-20)
2026-05-22 apache GHSA-2hvc-5c6v-f533
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable but requires privilege to influence JMS configuration (PR:L) and a non-trivial coercion path (AC:H), yielding total code-execution impact across C/I/A.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 30, 2026 - 05:27 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (None) 7.5 (HIGH)
Patch available
May 26, 2026 - 14:16 EUVD
CVE Published
May 22, 2026 - 12:17 cve.org
HIGH 7.5
CVE Published
May 22, 2026 - 12:17 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.cxf:cxf-rt-transports-jms (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionCVE.org

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

AnalysisAI

Remote code execution in Apache CXF (versions before 3.6.11, 4.0.0-4.1.5, and 4.2.0) arises because the fix for CVE-2025-48913 was incomplete, leaving a second code path through which untrusted JMS configuration can be abused to execute code. The flaw only matters where untrusted users are permitted to supply or influence JMS transport configuration for CXF endpoints. This is a remediation-regression issue carrying no public exploit identified at time of analysis, a very low EPSS (0.10%), and SSVC exploitation status of 'none', but the technical impact is rated total.

Technical ContextAI

Apache CXF is a widely deployed open-source Java framework for building SOAP and REST web services, and it supports JMS as a transport binding. The root cause is classed as CWE-20 (Improper Input Validation): CXF does not fully validate or constrain JMS configuration parameters, so a configuration value an attacker controls (for example connection factory, JNDI, or destination settings) can be coerced into loading or invoking attacker-influenced code. This is the same class of weakness as the original CVE-2025-48913; the upstream patch for that issue closed one path but, per the Apache advisory, a second path in the code remained reachable, which CVE-2026-44417 now addresses. The single CPE provided (cpe:2.3:a:apache_software_foundation:apache_cxf:*) does not pin versions, so the EUVD version ranges are the authoritative source for affected builds.

RemediationAI

Vendor-released patch: upgrade to Apache CXF 4.2.1, 4.1.6, or 3.6.11 depending on your branch (4.2.x users go to 4.2.1, 4.0.x/4.1.x users go to 4.1.6, and 3.x users go to 3.6.11), as directed in the Apache advisory at https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o. Because this is an incomplete-fix follow-up to CVE-2025-48913, partially patched 3.6.x/4.1.x builds are insufficient and must reach the exact fixed versions above. If immediate upgrade is not possible, the most effective compensating control is to ensure untrusted users cannot supply or alter JMS transport configuration for CXF endpoints - remove JMS configuration capability from untrusted-facing interfaces, lock JMS connection/JNDI settings to a trusted server-side configuration, and restrict who can deploy or reconfigure services; the trade-off is reduced flexibility for legitimate operators who previously customized JMS settings. Also consult Red Hat's VEX/advisory (https://access.redhat.com/security/cve/CVE-2026-44417) if you consume CXF through a Red Hat product.

Share

EUVD-2026-31432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy