Description
A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Published: 2026-06-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A JNDI Injection flaw in Apache CXF’s JCA integration allows an attacker who can alter the JCA deployment descriptor (ra.xml) or its runtime activation parameters to execute arbitrary code. The weakness is due to insufficient validation of JNDI references (CWE‑20) and is also identified as CWE‑502, potentially leading to compromise of confidentiality, integrity, and availability on affected hosts.

Affected Systems

The flaw affects the Apache CXF product bundled by the Apache Software Foundation. Versions prior to 4.2.2 and 4.1.7 are vulnerable, as they contain the unpatched JCA integration module that processes JNDI lookups without proper validation.

Risk and Exploitability

The CVSS score is 8.1, and EPSS was reported to be less than 1%; the vulnerability is not listed in CISA’s KEV catalog, indicating no documented exploits yet. Still, the high CVSS score demonstrates a significant potential for code execution via a manipulated deployment descriptor. The threat remains pronounced in environments where attackers can modify configuration files or have local access. The likely attack vector involves local or privileged alteration of ra.xml or JCA activation parameters, so mitigations should focus on strict file permissions and rapid patching.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache CXF to version 4.2.2 or 4.1.7 to apply the JNDI injection fix.
  • If upgrading is not immediately possible, disable the JCA integration module until a patch is available.
  • Enforce strict file permissions on the JCA deployment descriptor (ra.xml) and runtime activation parameters so that only authorized administrators can modify them.

Generated by OpenCVE AI on June 17, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References
Metrics threat_severity

None

threat_severity

Important


Fri, 12 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cxf
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cxf

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Title Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T03:18:47.194Z

Reserved: 2026-06-05T11:16:38.629Z

Link: CVE-2026-50633

cve-icon Vulnrichment

Updated: 2026-06-12T09:28:11.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T10:16:23.297

Modified: 2026-06-12T18:53:11.240

Link: CVE-2026-50633

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T09:02:02Z

Links: CVE-2026-50633 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:45:13Z

Weaknesses