CVE-2026-50645

Published: Jun 12, 2026Modified: Jun 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.

Affected (2)

Products: Apache: Cxf

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Cxf	Before 4.1.7
Apache Cxf	From 4.2.0 to 4.2.2

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (2)

https://lists.apache.org/thread/24zb7cqcvykhwm0j797dmdq25s61mj93

Source: security@apache.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/06/11/12

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.