CRITICAL🇵🇱 Wersja polska

CVE-2026-49875

CVSS 9.8pub. 2026-06-12upd. 2026-06-30

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

🤖 AI Analysis
How it works

The EndpointReferenceUtils and W3CMultiSchemaFactory classes initialize SAXParserFactory without the necessary JAXP (Java API for XML Processing) hardening configurations. As a result, the XML parser does not block out-of-band (OOB) external entity resolution. An attacker can submit a specially crafted XML document containing a reference to an external resource, which will be automatically retrieved by the server processing the request.

Impact

An attacker can read arbitrary files from the server's file system, gain access to internal network resources (SSRF), and potentially affect the integrity and availability of the system, which corresponds to a complete breach of confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).

Mitigation & patch

Apache CXF should be updated to version 4.2.2 or 4.1.7, which contain a patch eliminating the vulnerability. Details are available in the vendor references.

Who is affected

Apache CXF in versions prior to 4.2.2 and 4.1.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Cxf

    APP
    Apache
    < 4.1.74.2.0 – 4.2.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-50627CRITICAL9.1PL ✓ten sam produkt

Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)

CVE-2026-50628CRITICAL9.8PL ✓ten sam produkt

Apache CXF: błąd logiki w OAuthRequestFilter odwraca weryfikację IP

CVE-2026-44930CRITICAL9.8ten sam produkt

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow ...

CVE-2025-48913CRITICAL9.8PL ✓ten sam produkt

Apache CXF: RCE przez złośliwe URL w konfiguracji JMS

CVE-2024-29736CRITICAL9.1PL ✓ten sam produkt

SSRF w opisie usług WADL w Apache CXF