Apache CXF SSRF Vulnerability
Description
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache CXF before 3.5.5 and 3.4.10 has an SSRF vulnerability in MTOM request handling, allowing attackers to perform server-side request forgery.
The vulnerability is a server-side request forgery (SSRF) in Apache CXF's handling of MTOM (SOAP Message Transmission Optimization Mechanism) requests. Specifically, when parsing the href attribute of XOP:Include elements, the software does not properly validate the URI, allowing an attacker to control the target of a subsequent HTTP request [1][2].
To exploit this, the attacker must send a crafted SOAP message with MTOM attachments containing a malicious XOP:Include href pointing to an internal or external resource. The web service must accept at least one parameter of any type. The vulnerability exists in versions before 3.5.5 and 3.4.10 [2].
Successful exploitation allows an attacker to perform SSRF attacks, potentially accessing internal systems, scanning internal networks, or interacting with cloud metadata endpoints, bypassing firewalls and access controls.
The Apache CXF project has released fixed versions 3.5.5 and 3.4.10. Users should upgrade to these versions to mitigate the vulnerability [2]. No known exploits are publicly reported.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxf-coreMaven | < 3.4.10 | 3.4.10 |
org.apache.cxf:cxf-coreMaven | >= 3.5.0, < 3.5.5 | 3.5.5 |
Affected products
2- Apache Software Foundation/Apache CXFv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- cxf.apache.org/security-advisories.data/CVE-2022-46364.txtghsavendor-advisoryWEB
- github.com/advisories/GHSA-x3x3-qwjq-8gj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-46364ghsaADVISORY
News mentions
0No linked articles in our index yet.