Cxf
Monthly
Denial of service in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 allows remote unauthenticated attackers to exhaust server resources by sending messages containing an unbounded number of attachment headers during deserialization. The flaw stems from missing input limits in the message deserialization path and can be triggered without authentication or user interaction. EPSS rates real-world exploitation probability as low (0.02%) and no public exploit identified at time of analysis, but SSVC flags the attack as automatable.
Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.
Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.
Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.
Refresh token replay in Apache CXF's OAuth2 provider lets remote attackers concurrently exchange a single leaked refresh token for multiple valid access tokens, breaking the single-use property defenders rely on. The flaw lives in AbstractOAuthDataProvider and only manifests when deployments set 'recycleRefreshTokens' to false. No public exploit identified at time of analysis, and EPSS sits at 0.02% (4th percentile), but SSVC scores technical impact as 'total' due to the OAuth trust implications.
HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authenticate realm parameter to inject arbitrary HTTP headers or split HTTP responses entirely. Affected deployments include cxf-rt-rs-security-oauth2 versions 4.2.0 before 4.2.2 and all versions before 4.1.7. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but successful exploitation could enable cache poisoning, header injection, or redirection of downstream HTTP clients processing the malformed response.
Log injection in Apache CXF's OAuth2 module (org.apache.cxf:cxf-rt-rs-security-oauth2) permits remote attackers to forge arbitrary log entries by supplying crafted `clientId` values containing control characters or newline sequences in OAuth2 HTTP requests. Affected are CXF 4.2.0-4.2.1 and all 4.1.x versions before 4.1.7; fixed releases 4.2.2 and 4.1.7 were issued June 10, 2026. No public exploit code or active exploitation has been identified at time of analysis; practical impact is confined to log integrity compromise that could mislead security monitoring and incident response processes.
Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inverted IP-binding check rejects requests from the configured bound IP and permits requests from every other source address. The flaw turns an intended IP allowlist into an implicit deny-list of one, enabling remote unauthenticated attackers to reach protected OAuth endpoints from arbitrary networks. EPSS is low (0.04%) and no public exploit identified at time of analysis, but the trivial nature of the logic inversion makes exploitation straightforward once the misbehaving filter is enabled.
Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource Server to replay it against an unrelated Resource Server because the 'aud' (Audience) claim is not validated. Affects Apache CXF 4.2.0 through 4.2.1 and all versions prior to 4.1.7, enabling cross-service authentication bypass with full confidentiality, integrity, and availability impact on the unintended target. No public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile), but the fix is straightforward and the issue is structurally severe for federated OAuth2/JWT deployments.
Authentication bypass in Apache CXF's OAuth2 TokenIntrospectionService allows unauthenticated network access to the token introspection endpoint due to a missing 'throw' keyword in the internal security context check, causing the guard to silently pass rather than reject unauthorized callers. Affected are deployments using cxf-rt-rs-security-oauth2 versions 4.2.0-4.2.1 and all 4.1.x releases before 4.1.7 that relied solely on CXF's built-in check without independent authentication at the container or gateway layer. No public exploit code or active exploitation has been identified; vendor-confirmed patches (4.2.2 and 4.1.7) were released June 10, 2026.
XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Denial of service in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 allows remote unauthenticated attackers to exhaust server resources by sending messages containing an unbounded number of attachment headers during deserialization. The flaw stems from missing input limits in the message deserialization path and can be triggered without authentication or user interaction. EPSS rates real-world exploitation probability as low (0.02%) and no public exploit identified at time of analysis, but SSVC flags the attack as automatable.
Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.
Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.
Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.
Refresh token replay in Apache CXF's OAuth2 provider lets remote attackers concurrently exchange a single leaked refresh token for multiple valid access tokens, breaking the single-use property defenders rely on. The flaw lives in AbstractOAuthDataProvider and only manifests when deployments set 'recycleRefreshTokens' to false. No public exploit identified at time of analysis, and EPSS sits at 0.02% (4th percentile), but SSVC scores technical impact as 'total' due to the OAuth trust implications.
HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authenticate realm parameter to inject arbitrary HTTP headers or split HTTP responses entirely. Affected deployments include cxf-rt-rs-security-oauth2 versions 4.2.0 before 4.2.2 and all versions before 4.1.7. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but successful exploitation could enable cache poisoning, header injection, or redirection of downstream HTTP clients processing the malformed response.
Log injection in Apache CXF's OAuth2 module (org.apache.cxf:cxf-rt-rs-security-oauth2) permits remote attackers to forge arbitrary log entries by supplying crafted `clientId` values containing control characters or newline sequences in OAuth2 HTTP requests. Affected are CXF 4.2.0-4.2.1 and all 4.1.x versions before 4.1.7; fixed releases 4.2.2 and 4.1.7 were issued June 10, 2026. No public exploit code or active exploitation has been identified at time of analysis; practical impact is confined to log integrity compromise that could mislead security monitoring and incident response processes.
Authentication bypass in Apache CXF's OAuthRequestFilter affects versions prior to 4.1.7 and 4.2.0-4.2.1, where an inverted IP-binding check rejects requests from the configured bound IP and permits requests from every other source address. The flaw turns an intended IP allowlist into an implicit deny-list of one, enabling remote unauthenticated attackers to reach protected OAuth endpoints from arbitrary networks. EPSS is low (0.04%) and no public exploit identified at time of analysis, but the trivial nature of the logic inversion makes exploitation straightforward once the misbehaving filter is enabled.
Token confusion in Apache CXF's JwtAccessTokenValidator allows an attacker holding a valid JWT issued for one Resource Server to replay it against an unrelated Resource Server because the 'aud' (Audience) claim is not validated. Affects Apache CXF 4.2.0 through 4.2.1 and all versions prior to 4.1.7, enabling cross-service authentication bypass with full confidentiality, integrity, and availability impact on the unintended target. No public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile), but the fix is straightforward and the issue is structurally severe for federated OAuth2/JWT deployments.
Authentication bypass in Apache CXF's OAuth2 TokenIntrospectionService allows unauthenticated network access to the token introspection endpoint due to a missing 'throw' keyword in the internal security context check, causing the guard to silently pass rather than reject unauthorized callers. Affected are deployments using cxf-rt-rs-security-oauth2 versions 4.2.0-4.2.1 and all 4.1.x releases before 4.1.7 that relied solely on CXF's built-in check without independent authentication at the container or gateway layer. No public exploit code or active exploitation has been identified; vendor-confirmed patches (4.2.2 and 4.1.7) were released June 10, 2026.
XML External Entity (XXE) processing in Apache CXF versions prior to 4.1.7 and 4.2.0-4.2.1 allows remote attackers to trigger out-of-band external entity resolution via the EndpointReferenceUtils and W3CMultiSchemaFactory classes, which instantiate SAXParserFactory without JAXP hardening. While CVSS scores this 9.8 critical, EPSS reports only 0.02% exploitation probability, and there is no public exploit identified at time of analysis. Successful exploitation could enable data exfiltration, SSRF, or denial-of-service against applications that process attacker-controlled XML through CXF web services.
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.