CVE-2026-50645

Vulnerability

Apache CXF versions 4.2.0 before 4.2.2 and all versions before 4.1.7 do not enforce any restriction on the number of attachment headers that a message can contain during deserialization. This allows an attacker to craft a message with a large number of attachment headers, leading to uncontrolled resource consumption. The affected component is the org.apache.cxf:cxf-core library [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted message to an Apache CXF endpoint that processes attachments. No authentication or prior access is required; the attacker only needs network access to the target service. The message contains an arbitrarily high number of attachment headers, which the deserialization process handles without any limit [1].

Impact

Successful exploitation causes uncontrolled resource consumption on the target server, which can lead to a denial of service (DoS) condition. The impact is primarily on resource availability, with no direct effect on confidentiality or integrity [1].

Mitigation

The vulnerability is fixed in Apache CXF versions 4.2.2 and 4.1.7, released June 11, 2026. These versions impose a default maximum of 500 attachments per message. Users should upgrade to the fixed versions. No workaround is mentioned in the available references [1].