Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8XdGDCmKjktp_wBQV-aoyNtGDN+5XbXKU5KPHcJoBdo=t1Sg@mail.gmail.com>
Date: Fri, 22 May 2026 12:09:27 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913
 (Untrusted JMS configuration can lead to RCE)

Severity: moderate

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.2.0 before 4.2.1
- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.0.0 before 4.1.6
- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) before 3.6.11

Description:

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration
can lead to RCE was not complete, meaning that another path in the
code might lead to code execution capabilities, if untrusted users are
allowed to configure JMS for Apache CXF.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11,
which fix this issue.

Credit:

Github / twitter - https://github.com/exploitintel / @exploit_intel (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-44417

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.