CVE-2026-42403
Received Received - Intake
Apache Neethi Policy Circular Reference Denial of Service

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: Apache Software Foundation

Description
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition Users are recommended to upgrade to version 3.2.2, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42403
EUVD
EUVD-2026-26486
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache neethi to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Neethi where it does not properly detect circular references in WS-Policy documents. Specifically, if a policy references another policy that in turn references the first policy, this circular reference causes the policy normalization process to enter an infinite loop or excessive recursion.

As a result, this can lead to a stack overflow or cause the application to hang.

An attacker can exploit this by crafting malicious policy documents with such circular references to trigger these conditions.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition.

When exploited, the application using Apache Neethi can hang or crash due to stack overflow caused by infinite recursion in policy processing.

This can disrupt normal service availability and potentially affect dependent systems or users relying on the affected application.

Mitigation Strategies

Users are recommended to upgrade to Apache Neethi version 3.2.2, which fixes this issue.

Compliance Impact

This vulnerability causes a Denial of Service (DoS) condition by allowing an attacker to trigger infinite loops or stack overflows through crafted circular policy references in Apache Neethi. While it impacts availability, it does not directly affect confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of personal data confidentiality, integrity, and availability, this vulnerability primarily impacts the availability aspect. A successful DoS could disrupt services that handle regulated data, potentially leading to non-compliance with availability requirements.

However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data access or data breaches affecting confidentiality or integrity.

Users are recommended to upgrade to version 3.2.2 to mitigate this issue and maintain compliance with availability requirements in relevant standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart