Description
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Published: 2026-06-12
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache CXF’s EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, which permits out‑of‑band external entity resolution. This flaw can be used to read arbitrary local files or, if an attacker can influence the external entity, potentially execute code on the host system. The vulnerability is a classic XML External Entity (XXE) flaw and is classified as CWE‑611.

Affected Systems

The issue affects Apache CXF implementations from the Apache Software Foundation that include the vulnerable classes. All versions prior to 4.2.2 and 4.1.7 are impacted, while those that have been updated to 4.2.2 or higher, or 4.1.7, are considered patched.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so a precise likelihood cannot be quantified from public data. The CVSS score is also absent. Nevertheless, the weakness requires an attacker to supply crafted XML input to the application; once the library processes that input, the external entity can be resolved. Thus the exploitability depends on whether the application exposes an endpoint that accepts user‑supplied XML. If such an endpoint exists, an attacker could feasibly trigger the XXE and exfiltrate data or affect local resources.

Generated by OpenCVE AI on June 12, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.2 or 4.1.7, which removes the insecure SAXParserFactory construction.
  • If an upgrade is infeasible, ensure that XML parsing is performed with JAXP hardening enabled, such as setting SAXParserFactory features "http://apache.org/xml/features/disallow-doctype-decl" to true to block external entity resolution.
  • Apply network segmentation or firewall rules to limit outbound traffic from the host, thereby mitigating potential out‑of‑band data leaks, and monitor for unexpected DNS or HTTP requests originating from the application.

Generated by OpenCVE AI on June 12, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
Title Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
Weaknesses CWE-611
References

Subscriptions

Apache Cxf
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-12T09:27:54.123Z

Reserved: 2026-06-02T08:45:53.536Z

Link: CVE-2026-49875

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T10:16:22.340

Modified: 2026-06-12T13:08:47.310

Link: CVE-2026-49875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T10:30:24Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference