Description
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Published: 2026-05-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insecure XML parser configuration in Apache CXF's WS-Transfer module, enabling XXE attacks. Based on the description, it is inferred that attackers could supply malicious XML to retrieve internal system files, trigger SSRF, or potentially execute arbitrary code, leading to compromise of confidentiality and integrity on the affected system.

Affected Systems

Apache CXF deployments that rely on older releases, specifically those preceding the fixed versions 4.2.1, 4.1.6, or 3.6.11, are impacted. Any application using these older versions in a web service environment is potentially vulnerable. Upgrading to the specified patched releases removes the weakness.

Risk and Exploitability

The CVSS score is 5.3, and EPSS information is unavailable, so the quantitative risk remains unclear. However, the official advisory notes that the flaw is present in the WS-Transfer functionality accessible to any client providing XML input. Based on the description, it is inferred that if the service is reachable from untrusted networks, the likelihood of exploitation is high. The vulnerability is not yet listed in the CISA KEV catalog, but it should still be regarded as a high‑risk flaw due to its potential to expose sensitive data or allow remote code execution.

Generated by OpenCVE AI on May 22, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.1, 4.1.6, or 3.6.11, matching your product line.
  • If an immediate upgrade is not possible, reconfigure the XML parser to disable external entities and disable system entity resolution.
  • Restrict access to the WS-Transfer endpoint so that only trusted clients can submit XML requests, and monitor for anomalous SOAP activity.

Generated by OpenCVE AI on May 22, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Title Apache CXF: XXE vulnerability in WS-Transfer functionality
Weaknesses CWE-611
References

Subscriptions

Apache Cxf
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-22T21:26:21.841Z

Reserved: 2026-05-07T09:19:11.328Z

Link: CVE-2026-44618

cve-icon Vulnrichment

Updated: 2026-05-22T21:26:21.841Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:00:14Z

Weaknesses