CVE-2026-50633

Published: Jun 12, 2026Modified: Jun 12, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Affected (2)

Products: Apache: Cxf

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Before 4.1.7
Apache Cxf	From 4.2.0 to 4.2.2

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/10

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.