Lucene search
+L
ApacheCxf4.2.0

14 matches found

CVE
CVE
added 2026/06/12 8:54 a.m.126 views

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

9.8CVSS5.3AI score0.00527EPSS
CVE
CVE
added 2026/05/22 12:17 p.m.75 views

CVE-2026-44417

CVE-2026-44417 is an Apache CXF-related issue that completes the fix for CVE-2025-48913. The vulnerability arises when untrusted users can configure JMS in CXF, potentially enabling code execution. The published advisories indicate an incomplete fix previously, and upgrades are recommended to mit...

7.5CVSS7.5AI score0.0064EPSS
CVE
CVE
added 2026/06/12 9:6 a.m.69 views

CVE-2026-50645

CVE-2026-50645 affects Apache CXF during message deserialization, where there is no restriction on the number of attachment headers. This can enable uncontrolled resource consumption and a denial-of-service condition. The issue is mitigated by limiting attachments per message to a default maximum...

7.5CVSS5.3AI score0.0046EPSS
CVE
CVE
added 2026/06/12 8:56 a.m.55 views

CVE-2026-50628

CVE-2026-50628 concerns Apache CXF’s OAuthRequestFilter, where a logic error creates an inverted IP binding check: legitimate requests from the bound IP are rejected while requests from other IPs are allowed. Red Hat’s advisory attributes this to the OAuthRequestFilter component of CXF and notes ...

9.8CVSS5.3AI score0.00668EPSS
CVE
CVE
added 2026/06/12 9:2 a.m.53 views

CVE-2026-50633

The CVE-2026-50633 issue is a JNDI Injection vulnerability in Apache CXF’s JCA integration module (DispatchMDBMessageListenerImpl). The vulnerability allows code execution when an attacker can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected software is...

8.1CVSS5.4AI score0.0083EPSS
CVE
CVE
added 2026/06/12 9:5 a.m.53 views

CVE-2026-50634

CVE-2026-50634 affects Apache CXF's JwsJsonContainerRequestFilter. The vulnerability allows CXF to process metadata that was not authenticated by the accepted signature, bypassing the assumption that Content-Type or protected HTTP-header metadata came from a verified signature. This can influence...

6.5CVSS5.3AI score0.00278EPSS
CVE
CVE
added 2026/05/22 12:16 p.m.50 views

CVE-2026-44930

Technical details are not publicly available in the provided documents. Monitor for updates.

9.8CVSS5.9AI score0.00722EPSS
CVE
CVE
added 2026/06/12 8:59 a.m.50 views

CVE-2026-50631

CVE-2026-50631 : A TOCTOU race condition in Apache CXF's AbstractOAuthDataProvider allows concurrent requests to reuse the same Refresh Token when recycleRefreshTokens is false, bypassing single-use semantics and generating multiple valid Access Tokens. This can enable token replay/abuse by multi...

7.4CVSS5.3AI score0.00294EPSS
CVE
CVE
added 2026/06/12 8:55 a.m.47 views

CVE-2026-50627

The CVE-2026-50627 issue affects Apache CXF’s JwtAccessTokenValidator, which fails to validate the aud (Audience) claim in incoming JWT access tokens. As described in multiple sources (NVD/Red Hat/CVE List/etc.), a token issued for one Resource Server could be replayed against a different Resourc...

9.1CVSS5.2AI score0.00445EPSS
CVE
CVE
added 2026/05/22 12:17 p.m.40 views

CVE-2026-44618

Technical details for CVE-2026-44618 are not publicly available in the provided documents. The records mention an XXE vulnerability in Apache CXF WS-Transfer and upgrade versions, but no further specifics are provided. Monitor for updates.

5.3CVSS5.7AI score0.00338EPSS
CVE
CVE
added 2026/06/12 9:0 a.m.37 views

CVE-2026-50632

CVE-2026-50632 : Apache CXF exposes a JNDI Injection vulnerability in the JMSConfigFactory. The issue arises when untrusted users configure JMS, potentially allowing code execution. Affected versions are addressed by upgrades to 4.2.2 or 4.1.7. The NVD/CVEs and related feeds document this as a co...

8.8CVSS5.8AI score0.00646EPSS
CVE
CVE
added 2026/06/12 8:58 a.m.33 views

CVE-2026-50630

The CVE-2026-50630 issue affects Apache CXF’s OAuth2 implementation, where the AuthorizationUtils class concatenates the realm parameter into the WWW-Authenticate header without sanitizing CR/LF characters. This can enable header injection or HTTP response splitting if an attacker controls the re...

6.5CVSS5.5AI score0.00404EPSS
CVE
CVE
added 2026/06/12 8:57 a.m.31 views

CVE-2026-50629

The CVE-2026-50629 issue affects Apache CXF’s OAuth2 server where the 'clientId' from HTTP requests is concatenated into log warning messages without sanitizing control characters. This creates log injection risk by allowing arbitrary content in logs. Root cause: unsanitized control characters in...

5.3CVSS5.4AI score0.0047EPSS
CVE
CVE
added 2026/06/12 8:52 a.m.30 views

CVE-2026-50623

CVE-2026-50623 affects Apache CXF’s OAuth2 TokenIntrospectionService. A missing 'throw' in the security context check permits access to the introspection endpoint (/services/oauth2/introspect) by any unauthenticated network attacker. This bypass is tied to a safeguard condition when authenticatio...

4.8CVSS5.4AI score0.00371EPSS