CVE-2026-50632
Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.1EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
12 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache CXFWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →