High severity7.5NVD Advisory· Published May 1, 2026· Updated May 1, 2026

CVE-2026-42402

Description

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.neethi:neethiMaven	< 3.2.2	3.2.2

Affected products

Apache/Neethi
cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*
Range: <3.2.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/01/6nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-g36m-9g3m-2vmpghsaADVISORY
lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4nvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-42402ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000