CVE-2026-44417

Summary

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXF4.2.0 < 4.2.1affected
Apache Software FoundationApache CXF4.0.0 < 4.1.6affected
Apache Software FoundationApache CXF0 < 3.6.11affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

org.apache.cxf/cxf-rt-transports-jms: Apache CXF: Remote Code Execution via untrusted JMS configuration

Additional References

References