Remote Code Execution in Apache CXF Due to Incomplete Fix
CVE-2026-50632

8.1HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50632?

An issue has been identified in Apache CXF where an incomplete fix for a previous advisory has been revealed. The vulnerability arises from untrusted configurations of JMS which can lead to potential remote code execution. If untrusted users are permitted to configure JMS settings, they may exploit this flaw, allowing them to execute arbitrary code. It is strongly recommended that users upgrade to versions 4.2.2 or 4.1.7 to mitigate this risk.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar (r3dw0lfsec), Securin
.