Description
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Published: 2026-05-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incomplete fix to CVE-2025-48913, which originally allowed remote code execution when untrusted users could configure JMS for Apache CXF. The remaining code path permits the execution of arbitrary code, and the issue is classified as a CWE-20 input validation weakness.

Affected Systems

Affected products are Apache CXF versions older than the fixes released in 4.2.1, 4.1.6, and 3.6.11. If a system continues to run any earlier version, it remains susceptible to exploitation until it is upgraded to one of these patched releases.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the CVSS score is 7.5, indicating a substantial risk. The risk remains significant because the flaw permits remote code execution if an attacker is able to supply or modify a JMS configuration. The attack likely requires some level of privilege or access to the configuration interface; once achieved, arbitrary code can run with the privileges of the CXF process.

Generated by OpenCVE AI on May 22, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.1, 4.1.6, or 3.6.11 or later
  • Restrict access to JMS configuration to trusted administrators only
  • If JMS is not required, disable the JMS feature to eliminate the attack surface

Generated by OpenCVE AI on May 22, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Title Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
Weaknesses CWE-20
References

Subscriptions

Apache Cxf
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-23T03:55:40.449Z

Reserved: 2026-05-06T14:29:28.897Z

Link: CVE-2026-44417

cve-icon Vulnrichment

Updated: 2026-05-22T13:04:52.367Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:45:16Z

Weaknesses