Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
Summary
| CVE | CVE-2026-50632 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-12 10:16:23 UTC |
| Updated | 2026-07-10 12:17:09 UTC |
| Description | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.005530000 probability, percentile 0.417640000 (date 2026-06-20)
Problem Types: CWE-20 | NVD-CWE-noinfo | CWE-502 | CWE-20 CWE-20 Improper Input Validation | CWE-502 Deserialization of Untrusted Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache CXF | affected 4.2.0 4.2.2 semver | Not specified |
| CNA | Apache Software Foundation | Apache CXF | affected 4.1.7 semver | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4.18.1.P1 For Spring Boot 3.5.16 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread/740ghch5z5y675cn2kzgtyo5k37n6qcw | [email protected] | lists.apache.org | Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-50632 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37390 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50632.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Venkatraman Kumar (r3dw0lfsec), Securin (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-12T10:01:09.993Z | Reported to Red Hat. |
| ADP | 2026-06-12T09:00:48.530Z | Made public. |
Solutions
ADP: RHSA-2026:37390: Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot 3.5.16
Workarounds
ADP: To mitigate this issue, ensure that only trusted administrators have the necessary permissions to configure Java Message Service (JMS) for Apache CXF. Restricting access to JMS configuration prevents untrusted users from exploiting this vulnerability. Review and enforce strict access controls on systems where Apache CXF is deployed with JMS transport.