CVE-2026-42403 - Vulnerability Details

- Apache Neethi: Circular Policy Reference Infinite Loop

Description

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Published: 2026-05-01

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Neethi fails to detect circular references in WS-Policy documents, allowing an attacker to craft a policy that triggers an infinite loop or stack overflow during policy normalisation. This flaw is a classic example of CWE-400: Uncontrolled Resource Consumption, and its primary impact is a denial of service where the application may crash, hang, or become unresponsive after processing the malicious policy.

Affected Systems

The Apache Software Foundation’s Apache Neethi library is affected; any version older than 3.2.2 is vulnerable. The recommended fix is to upgrade to the 3.2.2 release, which contains the patch for this issue.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is not available, so the exact likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by supplying a crafted WS‑Policy document that contains circular references to a Neethi‑based application, triggering a denial of service on systems that accept or load remote policy documents, or on local applications that do not validate policy input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Neethi

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.2

Configuration 1 [-]

cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the Apache Neethi 3.2.2 or newer release to replace any vulnerable libraries.
Enable or implement a policy validation layer that detects and rejects circular references before normalisation.
Implement a recursion depth or timeout limit during policy parsing to prevent infinite loops or stack overflows.

Generated by OpenCVE AI on May 1, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/01/7
https://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo

History

Fri, 01 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache neethi
CPEs		cpe:2.3:a:apache:neethi::::::::
Vendors & Products		Apache Apache neethi

Fri, 01 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/01/7

Fri, 01 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Title		Apache Neethi: Circular Policy Reference Infinite Loop
Weaknesses		CWE-400
References		https://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Apache Neethi

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-01T08:38:16.035Z

Updated: 2026-05-01T16:21:07.061Z

Reserved: 2026-04-27T10:33:09.134Z

Link: CVE-2026-42403

Vulnrichment

Updated: 2026-05-01T16:21:07.061Z

NVD

Status : Analyzed

Published: 2026-05-01T09:16:17.137

Modified: 2026-05-01T18:08:21.653

Link: CVE-2026-42403

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object