CVE-2026-50633

HIGH

Apache CXF JCA Integration - JNDI Injection Remote Code Execution

Title source: manual

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/11/10

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

Scores

CVSS v3 8.1

EPSS 0.0066

EPSS Percentile 46.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

apache/cxf < 4.1.7

Apache Software Foundation/Apache CXF < 4.1.7

Apache Software Foundation/Apache CXF 4.2.0 - 4.2.2

Published Jun 12, 2026

Tracked Since Jun 12, 2026