CVE-2026-49875
Received Received - Intake
XML External Entity Injection in Apache CXF

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Apache Software Foundation

Description
Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-49875
EUVD
EUVD-2026-36394
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.2.2 (exc)
apache cxf to 4.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49875 is an XML External Entity (XXE) Injection vulnerability found in Apache CXF, specifically affecting the W3CMultiSchemaFactory and EndpointReferenceUtils classes.

The vulnerability occurs because these classes create a SAXParserFactory without applying the necessary JAXP hardening configurations, which allows out-of-band (OOB) external entity resolution.

This means that an attacker can exploit the XML parser to access external resources or cause other unintended behaviors by injecting malicious XML entities.

Users are recommended to upgrade to Apache CXF versions 4.2.2 or 4.1.7 where this issue has been fixed.

Impact Analysis

This vulnerability can allow attackers to perform out-of-band external entity resolution, which may lead to unauthorized access to internal files or systems, denial of service, or information disclosure.

Exploitation of this issue could enable attackers to read sensitive data, cause application crashes, or interact with internal network resources that are otherwise inaccessible.

Mitigation Strategies

To mitigate the CVE-2026-49875 vulnerability in Apache CXF, users are recommended to upgrade to fixed versions.

  • Upgrade Apache CXF to version 4.2.2 or later.
  • Alternatively, upgrade to version 4.1.7 or later if using the 4.1.x branch.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart