CVE-2026-42404

Apache Neethi: Unrestricted HTTP Redirect Following in Policy References

CVSS 6.5 MEDIUMEPSS 0.5%CWE-918

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

01 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Productos afectados

Apache Software Foundation · Apache Neethi

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq http://www.openwall.com/lists/oss-security/2026/05/01/8