High severity7.5NVD Advisory· Published May 1, 2026· Updated May 1, 2026

CVE-2026-42403

Description

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.neethi:neethiMaven	< 3.2.2	3.2.2

Affected products

Apache/Neethi
cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*
Range: <3.2.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/01/7nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-2hfh-9h53-qc24ghsaADVISORY
lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzonvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-42403ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000