CVE-2026-49875

Vulnerability

Apache CXF versions 4.2.0 before 4.2.2 and all versions before 4.1.7 are affected. The EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution [1].

Exploitation

An attacker can provide a crafted XML payload containing an external entity reference that points to an external resource (e.g., a file or network endpoint). The vulnerable code processes this XML without disabling external entity processing, allowing the attacker to trigger out-of-band data exfiltration or server-side request forgery. No authentication is required if the vulnerable endpoint is exposed [1].

Impact

Successful exploitation leads to XML External Entity (XXE) injection, which can result in disclosure of sensitive files, internal network scanning, or denial of service via resource exhaustion. The attacker gains the ability to read arbitrary files on the server or perform SSRF attacks [1].

Mitigation

Upgrade to Apache CXF version 4.2.2 or 4.1.7, which include the necessary JAXP hardening to disable external entity processing. No workaround is mentioned in the available reference [1].