CVE-2026-50632
HIGHApache CXF JMSConfigFactory - JNDI Injection Remote Code Execution
Title source: manualDescription
A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw
Scores
CVSS v3
8.1
EPSS
0.0055
EPSS Percentile
41.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (3)
apache/cxf
< 4.1.7
Apache Software Foundation/Apache CXF
< 4.1.7
Apache Software Foundation/Apache CXF
4.2.0 - 4.2.2
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026