CVE-2026-50632

high

Description

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50632.json

https://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw

https://bugzilla.redhat.com/show_bug.cgi?id=2488304

https://access.redhat.com/security/cve/CVE-2026-50632

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-07-02

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00039