Description
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. 
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Published: 2026-05-22
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An LDAP injection flaw in the XKMS LDAP certificate repository of Apache CXF allows an attacker to retrieve arbitrary certificates from the repository. This enables disclosure of confidential certificates used for authentication and encryption, constituting a significant confidentiality breach and an instance of CWE-90.

Affected Systems

Apache CXF implementations that include the XKMS server and LDAP repository component are affected. Versions earlier than 4.2.1, 4.1.6, or 3.6.11 are vulnerable. Users should confirm the Apache CXF version and apply the recommended upgrade.

Risk and Exploitability

The likely attack vector is remote, via crafted XKMS requests sent over the network that trigger unsanitized LDAP queries on the server. No EPSS score is available, and the vulnerability is not listed in CISA KEV. The CVSS score of 4.3 indicates a low-to-moderate severity, but the potential to expose sensitive certificates renders the risk significant, especially for systems that rely on these certificates for secure communication.

Generated by OpenCVE AI on May 22, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Apache CXF to 4.2.1, 4.1.6, or 3.6.11
  • Restrict access to the XKMS service by configuring firewall rules to allow traffic only from trusted IP addresses or networks
  • If the XKMS functionality is not required, disable or remove the XKMS server or LDAP repository component from the application
  • Enable logging of all LDAP queries and monitor for anomalous requests that could indicate injection attempts

Generated by OpenCVE AI on May 22, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Title Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
Weaknesses CWE-90
References

Subscriptions

Apache Cxf
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-22T21:26:22.941Z

Reserved: 2026-05-08T10:39:48.240Z

Link: CVE-2026-44930

cve-icon Vulnrichment

Updated: 2026-05-22T21:26:22.941Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:30:44Z

Weaknesses