Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8XdGBg+YSEHyiuBM-vyogE7JHs87F3QGvfDf0Q8RWgn9Z8gA@mail.gmail.com>
Date: Fri, 22 May 2026 12:12:22 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

Severity: important

Affected versions:

- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
4.2.0 before 4.2.1
- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
4.0.0 before 4.1.6
- Apache CXF (org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap)
before 3.6.11

Description:

An LDAP injection vulnerability in the LDAP Certificate repository of
the XKMS server in Apache CXF may allow an attacker to retrieve
arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11,
which fix this issue.

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-44930

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.