Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
CVE-2026-49875

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cxf
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-49875?

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gp...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

Venkatraman Kumar (r3dw0lfsec), Securin

CVE-2026-49875 Data

JSON