Skip to main content

Apache CXF EUVDEUVD-2026-31433

| CVE-2026-44930 CRITICAL
LDAP Injection (CWE-90)
2026-05-22 apache GHSA-pg32-686q-qh6x
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated LDAP injection (AV:N/AC:L/PR:N) yields unauthorized certificate disclosure only, so C:H with I:N/A:N since no write or availability impact is described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 30, 2026 - 05:28 vuln.today
CVSS changed
Jun 30, 2026 - 03:24 NVD
4.3 (None) 9.8 (CRITICAL)
Patch available
May 26, 2026 - 14:16 EUVD
CVE Published
May 22, 2026 - 12:16 nvd
CRITICAL 9.8
CVE Published
May 22, 2026 - 12:16 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionNVD

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

AnalysisAI

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90) in the LDAP-backed certificate repository to retrieve certificates they are not authorized to see. Affected builds span Apache CXF 3.x before 3.6.11, 4.0.0-4.1.x before 4.1.6, and 4.2.0 before 4.2.1; the issue was reported by Apache itself and fixed in those releases. No public exploit identified at time of analysis, EPSS is very low (0.02%, 4th percentile), and CISA SSVC scores exploitation as 'none' with only 'partial' technical impact.

Technical ContextAI

Apache CXF is a widely used open-source Java services framework for building SOAP/REST web services. The flaw lives in its optional XKMS (XML Key Management Specification) server component, specifically the certificate repository implementation backed by an LDAP directory. When the XKMS server builds an LDAP search filter from attacker-influenced input without proper escaping, it is vulnerable to CWE-90 (LDAP Injection): crafted metacharacters (e.g. '*', parentheses, filter operators) alter the intended search filter so the directory returns certificate entries beyond those the request should match. The single CPE in scope is cpe:2.3:a:apache_software_foundation:apache_cxf, confirming the affected component is the CXF framework itself, though Red Hat references indicate the code is also tracked in Red Hat products that embed CXF.

RemediationAI

Vendor-released patch: upgrade Apache CXF to 4.2.1, 4.1.6, or 3.6.11 depending on your branch, as directed in the Apache advisory (https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh); this is the primary and recommended fix. If you cannot upgrade immediately, the most effective compensating control is to disable or decommission the XKMS server component if it is not in use, which fully removes the attack surface at the cost of XKMS key-management functionality. Where XKMS must remain enabled, restrict network access to the XKMS endpoint to trusted internal callers via network ACLs or reverse-proxy allowlisting, accepting that legitimate remote clients must be enumerated; and if feasible, harden the backing LDAP service so the bind account used by the certificate repository has least-privilege read scope, limiting how much an injected filter can return. Red Hat customers should consult the VEX at https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44930.json for product-specific fixed packages.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

CVE-2025-14524 MEDIUM POC
5.3 Jan 08

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s

Share

EUVD-2026-31433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy