Description
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Published: 2026-06-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache CXF’s EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, which permits out‑of‑band external entity resolution. This flaw can be used to read arbitrary local files or, if an attacker can influence the external entity, potentially execute code on the host system. The vulnerability is a classic XML External Entity (XXE) flaw and is classified as CWE‑611.

Affected Systems

The issue affects Apache CXF implementations from the Apache Software Foundation that include the vulnerable classes. All versions prior to 4.2.2 and 4.1.7 are impacted, while those that have been updated to 4.2.2 or higher, or 4.1.7, are considered patched.

Risk and Exploitability

The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so a precise likelihood cannot be quantified from public data. The CVSS score is 6.5, indicating a moderate severity risk. Nevertheless, the weakness requires an attacker to supply crafted XML input to the application; once the library processes that input, the external entity can be resolved. Thus the exploitability depends on whether the application exposes an endpoint that accepts user‑supplied XML. If such an endpoint exists, an attacker could feasibly trigger the XXE and exfiltrate data or affect local resources.

Generated by OpenCVE AI on June 18, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.2 or 4.1.7, which removes the insecure SAXParserFactory construction.
  • If an upgrade is infeasible, ensure that XML parsing is performed with JAXP hardening enabled, such as setting SAXParserFactory features "http://apache.org/xml/features/disallow-doctype-decl" to true to block external entity resolution.
  • Apply network segmentation or firewall rules to limit outbound traffic from the host, thereby mitigating potential out‑of‑band data leaks, and monitor for unexpected DNS or HTTP requests originating from the application.

Generated by OpenCVE AI on June 18, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Mon, 15 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 12 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Title Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
Weaknesses CWE-611
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T03:18:48.057Z

Reserved: 2026-06-02T08:45:53.536Z

Link: CVE-2026-49875

cve-icon Vulnrichment

Updated: 2026-06-12T09:27:54.123Z

cve-icon NVD

Status : Modified

Published: 2026-06-12T10:16:22.340

Modified: 2026-06-15T21:17:22.760

Link: CVE-2026-49875

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T08:54:50Z

Links: CVE-2026-49875 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:45:05Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference