CVE-2026-42404
Apache Neethi Remote Policy Reference URI Restriction Bypass
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | neethi | to 3.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Neethi occurs because the software does not restrict the types of URIs that can be used when manually fetching remote policy references through its PolicyReference API.
When an application explicitly calls this API to retrieve a policy from a remote URI, it can make outbound requests to arbitrary protocols and internal IP addresses, potentially exposing internal network resources.
Starting from version 3.2.2, Apache Neethi restricts URIs to only http or https protocols and forbids link-local, multicast, or any-local addresses to mitigate this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker or malicious application to make unauthorized outbound requests to internal IP addresses or arbitrary protocols through the PolicyReference API.
Such behavior could lead to information disclosure about internal network resources or potentially enable further attacks within the internal network.
Upgrading to Apache Neethi version 3.2.2 or later is recommended to prevent these unauthorized requests.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Neethi to version 3.2.2, which fixes this issue by restricting allowed URIs to only http or https and forbidding link-local, multicast, and any-local addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Apache Neethi making outbound requests to arbitrary protocols and internal IP addresses when fetching remote policy references through the PolicyReference API.
To detect exploitation attempts on your network or system, you can monitor outbound network traffic for unusual HTTP or HTTPS requests to internal IP ranges or unexpected protocols.
- Use network monitoring tools like tcpdump or Wireshark to capture outbound traffic and filter for HTTP/HTTPS requests to internal IP addresses (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- Example tcpdump command to capture HTTP/HTTPS traffic to private IP ranges: tcpdump -i <interface> '((dst net 10.0.0.0/8) or (dst net 172.16.0.0/12) or (dst net 192.168.0.0/16)) and (tcp port 80 or tcp port 443)'
- Check application logs for calls to the PolicyReference API that include URIs with disallowed protocols or internal IP addresses.
Upgrading Apache Neethi to version 3.2.2 or later is recommended to prevent this issue.