CVE-2026-44930

CRITICAL

Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

Title source: cna
STIX 2.1

Description

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Scores

CVSS v3 9.8
EPSS 0.0072
EPSS Percentile 49.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-90
Status published
Products (8)
apache/cxf 4.2.0
apache/cxf < 3.6.11
Apache Software Foundation/Apache CXF < 3.6.11
Apache Software Foundation/Apache CXF 4.0.0 - 4.1.6
Apache Software Foundation/Apache CXF 4.2.0 - 4.2.1
org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap 0 - 3.6.11Maven
org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap 4.1.0 - 4.1.6Maven
org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap 4.2.0 - 4.2.1Maven
Published May 22, 2026
Tracked Since May 22, 2026