CVE-2026-50633

high

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

References

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf

http://www.openwall.com/lists/oss-security/2026/06/11/10

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-06-12

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00039