CVE-2026-44417 Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)

🗓️ 22 May 2026 12:17:25Reported by apacheType

CVE-2026-44417 reports an incomplete fix for CVE-2025-48913 enabling RCE via untrusted JMS; upgrade to 4.2.1, 4.1.6, or 3.6.11.

Reporter	Title	Published	Views	Family All 16
ATTACKERKB	CVE-2026-44417	22 May 202612:17	–	attackerkb
Tenable Nessus	Apache CXF < 3.6.11 / 4.0.x < 4.1.6 / 4.2.x < 4.2.1 Multiple Vulnerabilities	28 May 202600:00	–	nessus
Tenable Nessus	Apache CXF < 4.1.7 / 4.2.x < 4.2.2 Multiple Vulnerabilities	16 Jun 202600:00	–	nessus
Circl	CVE-2026-44417	12 Jun 202611:00	–	circl
CNNVD	Apache CXF 安全漏洞	22 May 202600:00	–	cnnvd
CVE	CVE-2026-44417	22 May 202612:17	–	cve
EUVD	EUVD-2026-31432	22 May 202612:17	–	euvd
EUVD	EUVD-2026-36400	12 Jun 202609:00	–	euvd
NVD	CVE-2026-44417	22 May 202613:16	–	nvd
Positive Technologies	PT-2026-42753	22 May 202600:00	–	ptsecurity

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.cxf:cxf-rt-transports-jms",
    "product": "Apache CXF",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.2.1",
        "status": "affected",
        "version": "4.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.1.6",
        "status": "affected",
        "version": "4.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.6.11",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o

22 May 2026 12:17Current

EPSS0.00463

CWE-20