Home

Description

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-22 | Updated 2026-05-23 | Assigner apache

Problem types

CWE-20 Improper Input Validation

Product status

Default status
unaffected

4.2.0 (semver) before 4.2.1
affected

4.0.0 (semver) before 4.1.6
affected

Any version before 3.6.11
affected

Credits

Github / twitter - https://github.com/exploitintel / @exploit_intel finder

References

lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o vendor-advisory

cve.org (CVE-2026-44417)

nvd.nist.gov (CVE-2026-44417)

Download JSON