Apache CXF Vulnerabilities Enable Remote Execution

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Apache CXF Framework versions 4.2.0, 4.0.0, and older releases before 3.6.11. The vulnerabilities include information disclosure, remote code execution, and LDAP injection flaws, which compromise the security and integrity of enterprise servers. These issues pose significant business risk and potential consequences, including data breaches, system compromise, and reputational damage. The Apache CXF framework is widely used to build web services, making it an attractive target for attackers seeking to exploit these vulnerabilities.[emaillocker id="1283"]

CVE-2026-44930 with a CVSS score of 9.8 – An LDAP injection vulnerability in the XKMS server component allows an unauthorized attacker to manipulate queries to retrieve arbitrary certificates from the internal repository. This flaw requires an attacker to send a crafted LDAP query to the XKMS server.

CVE-2026-44618 with a CVSS score of 5.3 – A severe vulnerability in the WS-Transfer functionality allows malicious actors to conduct XML External Entity (XXE) attacks, enabling them to read sensitive files or map internal networks. This flaw can be exploited by sending a crafted XML payload to the WS-Transfer endpoint.

The exploitation of these Apache CXF vulnerabilities poses significant business risk and urgency, as they can lead to data breaches, system compromise, and reputational damage. If exploited, these vulnerabilities could result in substantial financial losses and damage to enterprise reputation.

RECOMMENDATION:

We recommend you to update Apache CXF Framework to version 4.2.1, 4.1.6, or 3.6.11.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/apache-cxf-vulnerabilities-patch-guide/