Apache CXF JCA Integration Module JNDI Injection (CVE-2026-50633)

critical-cve-against-dependency · active

A JNDI injection flaw in Apache CXF's JCA integration module can lead to code execution if an attacker can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users should upgrade to Apache CXF 4.2.2 or 4.1.7.

Affected packages

• mavenorg.apache.cxf:cxf-integration-jcaupgrade to ≥ 4.1.7

Sources

• ghsahttps://github.com/advisories/GHSA-qp3f-rvj8-46c8
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50633
• google-searchhttps://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf
• google-searchhttp://www.openwall.com/lists/oss-security/2026/06/11/10