Apache CXF: Incomplete Fix for JMS Configuration RCE (CVE-2026-50632)

critical-cve-against-dependency · active

Apache CXF has a critical remote code execution flaw stemming from an incomplete fix for the earlier CVE-2026-44417. If untrusted users are allowed to configure JMS for Apache CXF, they can achieve code execution. Upgrade to version 4.2.2 or 4.1.7 to remediate.

Affected packages

• mavenorg.apache.cxf:cxf-coreupgrade to ≥ 4.1.7

Sources

• ghsahttps://github.com/advisories/GHSA-93g8-qqv3-mrx8
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50632
• mavenhttps://lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw