8.1

CVE-2026-50633

Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheCxf Version < 4.1.7
ApacheCxf Version >= 4.2.0 < 4.2.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.78% 0.514
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/06/11/10
Third Party Advisory
Mailing List
https://access.redhat.com/security/cve/CVE-2026-50633
https://bugzilla.redhat.com/show_bug.cgi?id=2488307
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50633.json