CVE-2026-44417 - Vulnerability Details

- Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)

Description

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Published: 2026-05-22

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an incomplete fix to CVE-2025-48913, which originally allowed remote code execution when untrusted users could configure JMS for Apache CXF. The remaining code path permits the execution of arbitrary code, and the issue involves both a configuration management weakness (CWE‑15) and an input validation weakness (CWE‑20).

Affected Systems

Affected products are Apache CXF versions older than the fixes released in 4.2.1, 4.1.6, and 3.6.11. If a system continues to run any earlier version, it remains susceptible to exploitation until it is upgraded to one of these patched releases.

Risk and Exploitability

The EPSS score is 0.00153 (less than 1%), indicating a very low but non‑zero probability of exploitation in the wild. Despite this, the CVSS score of 7.5 signals significant risk. The flaw permits remote execution when an attacker can supply or modify a JMS configuration. Attack may require access to the configuration interface or some level of privilege; once achieved, arbitrary code can execute with the privileges of the CXF process. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache CXF

unaffected

Version	Status	Constraints
`4.2.0`	affected	< 4.2.1
`4.0.0`	affected	< 4.1.6
`0`	affected	< 3.6.11

Configuration 1 [-]

OR	cpe:2.3:a:apache:cxf::::::::
	cpe:2.3:a:apache:cxf::::::::
	cpe:2.3:a:apache:cxf:4.2.0:::::::*

No data.

Vendor Product Confidence Versions

Apache

Cxf

95%

Version	Status	Scheme	Platform
`[4.2.0,4.2.1)`	affected	semver	—
`[4.0.0,4.1.6)`	affected	semver	—
`[0,3.6.11)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Apache CXF to version 4.2.1, 4.1.6, or 3.6.11 to apply the fix for the incomplete patch.
Ensure that only authorized administrators can configure JMS; restrict access to the JMS configuration interface.
Temporarily disable JMS configuration capabilities in Apache CXF or remove unneeded JMS endpoints until a patch is applied.

Generated by OpenCVE AI on June 4, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00153.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o
https://nvd.nist.gov/vuln/detail/CVE-2026-44417
https://www.cve.org/CVERecord?id=CVE-2026-44417

History

Thu, 04 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-15
References		https://nvd.nist.gov/vuln/detail/CVE-2026-44417 https://www.cve.org/CVERecord?id=CVE-2026-44417
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:cxf:::::::: cpe:2.3:a:apache:cxf:4.2.0:::::::*

Fri, 22 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache cxf
Vendors & Products		Apache Apache cxf

Fri, 22 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Title		Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
Weaknesses		CWE-20
References		https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o

Subscriptions

Apache Cxf

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-22T12:17:25.102Z

Updated: 2026-05-23T03:55:40.449Z

Reserved: 2026-05-06T14:29:28.897Z

Link: CVE-2026-44417

Vulnrichment

Updated: 2026-05-22T13:04:52.367Z

NVD

Status : Analyzed

Published: 2026-05-22T13:16:22.600

Modified: 2026-05-22T19:29:21.540

Link: CVE-2026-44417

Redhat

Severity : Important

Publid Date: 2026-05-22T12:17:25Z

Links: CVE-2026-44417 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-04T14:30:15Z

Weaknesses

CWE-15
External Control of System or Configuration Setting
CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object