Remote Code Execution Vulnerability in Apache Neethi
CVE-2026-42404

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Neethi
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42404?

The Apache Neethi framework exhibits a vulnerability that allows unrestricted fetching of remote policy references via the PolicyReference API. This lack of URI restrictions can be exploited to initiate outbound requests to arbitrary protocols and internal IP addresses. Starting from version 3.2.2, this issue is addressed by limiting the allowed URIs to http and https, thereby prohibiting link-local, multicast, and any-local addresses. Users are strongly urged to upgrade to version 3.2.2 to mitigate potential risks.

Affected Version(s)

Apache Neethi 0 < 3.2.2

References

https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42404 Data

JSON