CVE-2026-44930

Summary

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXF4.2.0 < 4.2.1affected
Apache Software FoundationApache CXF4.0.0 < 4.1.6affected
Apache Software FoundationApache CXF0 < 3.6.11affected

Weaknesses

  • CWE-90: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

apache-cxf: org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap: Apache CXF: Information Disclosure via LDAP Injection

Additional References

References