JNDI Injection Vulnerability in Apache CXF's JCA Integration Module
CVE-2026-50633

8.1HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
12 June 2026

What is CVE-2026-50633?

A JNDI Injection vulnerability has been identified in the JCA integration module of Apache CXF, enabling potential code execution if attackers gain the ability to manipulate the JCA deployment descriptor (ra.xml) or the activation parameters at runtime. Users are strongly advised to update to the latest versions 4.2.2 or 4.1.7 to mitigate this security risk and ensure secure application performance.

Affected Version(s)

Apache CXF 4.2.0 < 4.2.2

Apache CXF 0 < 4.1.7

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar (r3dw0lfsec), Securin
.