VYPR

Cxf

by Apache

Source repositories

CVEs (39)

  • CVE-2026-50628CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to…

  • CVE-2026-49875CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix…

  • CVE-2026-44930CriMay 22, 2026
    risk 0.64cvss 9.8epss 0.00

    An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.  Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

  • CVE-2012-0803CriAug 8, 2017
    risk 0.64cvss 9.8epss 0.04

    The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.

  • CVE-2010-2076CriAug 19, 2010
    risk 0.64cvss 9.8epss 0.10

    Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read…

  • CVE-2026-50627CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token…

  • CVE-2026-50633HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.01

    A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to…

  • CVE-2026-50632HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended…

  • CVE-2026-50645HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which…

  • CVE-2026-44417HigMay 22, 2026
    risk 0.49cvss 7.5epss 0.00

    The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to…

  • CVE-2026-50631HigJun 12, 2026
    risk 0.48cvss 7.4epss 0.00

    A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by…

  • CVE-2026-50634MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata…

  • CVE-2026-50630MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm…

  • CVE-2017-3156HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.06

    The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

  • CVE-2016-8739HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.07

    The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

  • CVE-2017-5656HigApr 18, 2017
    risk 0.42cvss 7.5epss 0.07

    Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

  • CVE-2026-50629MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are…

  • CVE-2026-44618MedMay 22, 2026
    risk 0.34cvss 5.3epss 0.00

    Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

  • CVE-2016-6812MedAug 10, 2017
    risk 0.33cvss 6.1epss 0.09

    The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current…

  • CVE-2026-50623MedJun 12, 2026
    risk 0.31cvss 4.8epss 0.00

    An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker.…

Page 1 of 2