CVE-2026-50633 | A JNDI Injection vulnerability has been discovered in Apache… | CVSS 8.1 HIGH

Description

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Metadata

CVE ID: CVE-2026-50633
State: PUBLISHED
Assigner: apache
Reserved: 2026-06-05 11:16 UTC
Published: 2026-06-12 09:02 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-20
CWE-20 Improper Input Validation
Vendor / Product: Apache Software Foundation / Apache CXF
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache CXF	—	4.2.0 < 4.2.2, 0 < 4.1.7

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20 Improper Input Validation

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf