CVE-2026-42404 - Vulnerability Details

- Apache Neethi: Unrestricted HTTP Redirect Following in Policy References

Description

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Published: 2026-05-01

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists in Apache Neethi, where the PolicyReference API does not validate the URI that it fetches. An application that explicitly calls the API can cause an outbound request to any protocol and address, including internal IP ranges. This allows an attacker to exfiltrate data, scan internal services, or pivot through the application’s network permissions. The underlying weak point is documented as CWE-918, which describes an unrestricted redirect or redirection that can be abused for unintended communication.

Affected Systems

The vulnerability affects the Apache Neethi component of the Apache Software Foundation. All versions prior to 3.2.2 are impacted, because 3.2.2 introduced restrictions limiting the accepted URI scheme to http/https only and removes link‑local, multicast, and any‑local addresses. No specific patch level is listed beyond the recommendation to upgrade to 3.2.2.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. Attackers would need an application that calls the PolicyReference API with a crafted URI; once triggered, the application deems the address trusted and initiates a network connection. This lack of input validation can lead to internal network exposure, lateral movement, or other outward‑bound data leakage, especially in environments with unrestricted outbound connectivity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Neethi

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.2

Configuration 1 [-]

cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Neethi to version 3.2.2 or later, which enforces HTTP/HTTPS only and blocks link‑local and multicast addresses.
Review application code to ensure it does not invoke the PolicyReference API with external or user‑supplied URLs. Implement a whitelist of allowed hostnames if external policy loading is required.
Restrict outbound network access from the application host using firewall rules or network segmentation to block connections to unknown or internal IP ranges.

Generated by OpenCVE AI on May 1, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/01/8
https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq

History

Fri, 01 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache neethi
CPEs		cpe:2.3:a:apache:neethi::::::::
Vendors & Products		Apache Apache neethi

Fri, 01 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/01/8

Fri, 01 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Title		Apache Neethi: Unrestricted HTTP Redirect Following in Policy References
Weaknesses		CWE-918
References		https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Apache Neethi

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-01T09:46:49.958Z

Updated: 2026-05-01T16:21:08.152Z

Reserved: 2026-04-27T10:34:58.951Z

Link: CVE-2026-42404

Vulnrichment

Updated: 2026-05-01T16:21:08.152Z

NVD

Status : Analyzed

Published: 2026-05-01T11:16:19.230

Modified: 2026-05-01T18:06:24.337

Link: CVE-2026-42404

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object