CVE-2026-44417— Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 3
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache CXF | 4.2.0< 4.2.1 | affected |
4.0.0< 4.1.6 | affected | ||
< 3.6.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44417
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
Source: NVD (National Vulnerability Database)
Vulnerability Description
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF | 4.2.0 ~ 4.2.1 | - |
II. Public POCs for CVE-2026-44417
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44417
请登录查看更多情报信息。
Mailing list · 1
Same Patch Batch · Apache Software Foundation · 2026-05-22 · 3 CVEs total
| CVE-2026-44618 | Apache CXF: XXE vulnerability in WS-Transfer functionality | |
| CVE-2026-44930 | Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository |
IV. Related Vulnerabilities
Same product: Apache CXF
- CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2025-48913
Apache CXF: Untrusted JMS configuration can lead to RCE - CVE-2025-48795
Apache CXF: Denial of Service and sensitive data exposure in - CVE-2025-23184
Apache CXF: Denial of Service vulnerability with temporary f
Same vendor: Apache Software Foundation
- CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2026-48207
Apache Fory: PyFory ReduceSerializer Incomplete Policy Enfor - CVE-2026-45760
Apache Camel K: Camel K Cross-Namespace Build Deputy Attack - CVE-2026-27173
Apache Airflow CNCF Kubernetes provider: JWT Token Exposure
Same weakness: CWE-20
- CVE-2026-26147
Azure Stack HCI Information Disclosure Vulnerability - CVE-2026-40411
Azure Virtual Network Gateway Remote Code Execution Vulnerab - CVE-2026-3294
Authentication Logic Vulnerability on Multiple TP-Link Range - CVE-2026-34207
TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames i - CVE-2026-34910
UniFi OS设备命令注入漏洞
V. Comments for CVE-2026-44417
No comments yet