CVE-2026-42404
Received Received - Intake
Apache Neethi Remote Policy Reference URI Restriction Bypass

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: Apache Software Foundation

Description
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42404
EUVD
EUVD-2026-26491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache neethi to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Neethi occurs because the software does not restrict the types of URIs that can be used when manually fetching remote policy references through its PolicyReference API.

When an application explicitly calls this API to retrieve a policy from a remote URI, it can make outbound requests to arbitrary protocols and internal IP addresses, potentially exposing internal network resources.

Starting from version 3.2.2, Apache Neethi restricts URIs to only http or https protocols and forbids link-local, multicast, or any-local addresses to mitigate this issue.

Impact Analysis

This vulnerability can impact you by allowing an attacker or malicious application to make unauthorized outbound requests to internal IP addresses or arbitrary protocols through the PolicyReference API.

Such behavior could lead to information disclosure about internal network resources or potentially enable further attacks within the internal network.

Upgrading to Apache Neethi version 3.2.2 or later is recommended to prevent these unauthorized requests.

Mitigation Strategies

Users are recommended to upgrade Apache Neethi to version 3.2.2, which fixes this issue by restricting allowed URIs to only http or https and forbidding link-local, multicast, and any-local addresses.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves Apache Neethi making outbound requests to arbitrary protocols and internal IP addresses when fetching remote policy references through the PolicyReference API.

To detect exploitation attempts on your network or system, you can monitor outbound network traffic for unusual HTTP or HTTPS requests to internal IP ranges or unexpected protocols.

  • Use network monitoring tools like tcpdump or Wireshark to capture outbound traffic and filter for HTTP/HTTPS requests to internal IP addresses (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Example tcpdump command to capture HTTP/HTTPS traffic to private IP ranges: tcpdump -i <interface> '((dst net 10.0.0.0/8) or (dst net 172.16.0.0/12) or (dst net 192.168.0.0/16)) and (tcp port 80 or tcp port 443)'
  • Check application logs for calls to the PolicyReference API that include URIs with disallowed protocols or internal IP addresses.

Upgrading Apache Neethi to version 3.2.2 or later is recommended to prevent this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart