Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated LDAP injection (AV:N/AC:L/PR:N) yields unauthorized certificate disclosure only, so C:H with I:N/A:N since no write or availability impact is described.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 maven packages depend on org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.2.0.
DescriptionNVD
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
AnalysisAI
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90) in the LDAP-backed certificate repository to retrieve certificates they are not authorized to see. Affected builds span Apache CXF 3.x before 3.6.11, 4.0.0-4.1.x before 4.1.6, and 4.2.0 before 4.2.1; the issue was reported by Apache itself and fixed in those releases. No public exploit identified at time of analysis, EPSS is very low (0.02%, 4th percentile), and CISA SSVC scores exploitation as 'none' with only 'partial' technical impact.
Technical ContextAI
Apache CXF is a widely used open-source Java services framework for building SOAP/REST web services. The flaw lives in its optional XKMS (XML Key Management Specification) server component, specifically the certificate repository implementation backed by an LDAP directory. When the XKMS server builds an LDAP search filter from attacker-influenced input without proper escaping, it is vulnerable to CWE-90 (LDAP Injection): crafted metacharacters (e.g. '*', parentheses, filter operators) alter the intended search filter so the directory returns certificate entries beyond those the request should match. The single CPE in scope is cpe:2.3:a:apache_software_foundation:apache_cxf, confirming the affected component is the CXF framework itself, though Red Hat references indicate the code is also tracked in Red Hat products that embed CXF.
RemediationAI
Vendor-released patch: upgrade Apache CXF to 4.2.1, 4.1.6, or 3.6.11 depending on your branch, as directed in the Apache advisory (https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh); this is the primary and recommended fix. If you cannot upgrade immediately, the most effective compensating control is to disable or decommission the XKMS server component if it is not in use, which fully removes the attack surface at the cost of XKMS key-management functionality. Where XKMS must remain enabled, restrict network access to the XKMS endpoint to trusted internal callers via network ACLs or reverse-proxy allowlisting, accepting that legitimate remote clients must be enumerated; and if feasible, harden the backing LDAP service so the bind account used by the certificate repository has least-privilege read scope, limiting how much an injected filter can return. Red Hat customers should consult the VEX at https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44930.json for product-specific fixed packages.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a s
Same weakness CWE-90 – LDAP Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31433
GHSA-pg32-686q-qh6x