Home

Description

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-22 | Updated 2026-05-22 | Assigner apache

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status
unaffected

4.2.0 (semver) before 4.2.1
affected

4.0.0 (semver) before 4.1.6
affected

Any version before 3.6.11
affected

Credits

Credit to IcySun (icysun@qq.com), 广东东方思维科技有限公司 finder

References

www.openwall.com/lists/oss-security/2026/05/22/8

lists.apache.org/thread/c7vb015f8ljmjl44030mn0yfq71f7sd7 vendor-advisory

cve.org (CVE-2026-44618)

nvd.nist.gov (CVE-2026-44618)

Download JSON