CVE-2026-50633

Vulnerability

A JNDI Injection vulnerability exists in Apache CXF's JCA integration module, specifically within the DispatchMDBMessageListenerImpl class. An attacker who can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters can inject malicious JNDI lookups, enabling remote code execution. Affected versions are org.apache.cxf:cxf-integration-jca 4.2.0 up to but not including 4.2.2, and all versions before 4.1.7 [1].

Exploitation

The attacker must have the ability to modify the ra.xml deployment descriptor or supply crafted runtime activation parameters. This typically requires write access to the server's configuration files or control over the deployment process. By injecting a JNDI URI pointing to an attacker-controlled LDAP or RMI server within those parameters, the vulnerable code performs the lookup, retrieving a malicious serialized object that triggers code execution on the CXF server [1].

Impact

Successful exploitation allows arbitrary code execution on the server running the affected CXF JCA integration. The attacker gains the same privileges as the CXF application process, which can lead to full compromise of the application server, data exfiltration, or lateral movement within the network. The impact is rated as important [1].

Mitigation

Apache CXF has released fixed versions 4.2.2 and 4.1.7, which remediate the JNDI injection by properly sanitizing JNDI lookup parameters. Users should upgrade to either of these versions immediately. No workarounds have been provided [1].