Remote Code Execution Vulnerability in Apache CXF by Apache
CVE-2026-44417

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-44417?

A security flaw in Apache CXF allows potential remote code execution due to incomplete fixes related to untrusted JMS configuration. When untrusted users are allowed to configure JMS, this vulnerability can be exploited, leading to unauthorized code execution on the server. Users are strongly urged to upgrade to versions 4.2.1, 4.1.6, or 3.6.11 to address this issue effectively.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.1

Apache CXF 4.0.0 < 4.1.6

Apache CXF 0 < 3.6.11

References

https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjv...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 6, 2026

Credit

Github / twitter - https://github.com/exploitintel / @exploit_intel

CVE-2026-44417 Data

JSON