CVE-2026-49875
Modified Modified - Updated After Analysis

XML External Entity Injection in Apache CXF

Vulnerability report for CVE-2026-49875, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-30
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache cxf to 4.1.7 (exc)
apache cxf From 4.2.0 (inc) to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49875 is an XML External Entity (XXE) Injection vulnerability found in Apache CXF, specifically affecting the W3CMultiSchemaFactory and EndpointReferenceUtils classes.

The vulnerability occurs because these classes create a SAXParserFactory without applying the necessary JAXP hardening configurations, which allows out-of-band (OOB) external entity resolution.

This means that an attacker can exploit the XML parser to access external resources or cause other unintended behaviors by injecting malicious XML entities.

Users are recommended to upgrade to Apache CXF versions 4.2.2 or 4.1.7 where this issue has been fixed.

Impact Analysis

This vulnerability can allow attackers to perform out-of-band external entity resolution, which may lead to unauthorized access to internal files or systems, denial of service, or information disclosure.

Exploitation of this issue could enable attackers to read sensitive data, cause application crashes, or interact with internal network resources that are otherwise inaccessible.

Mitigation Strategies

To mitigate the CVE-2026-49875 vulnerability in Apache CXF, users are recommended to upgrade to fixed versions.

  • Upgrade Apache CXF to version 4.2.2 or later.
  • Alternatively, upgrade to version 4.1.7 or later if using the 4.1.x branch.
Detection Guidance

This vulnerability is related to improper configuration of SAXParserFactory in Apache CXF versions before 4.2.2 and 4.1.7, which allows XML External Entity (XXE) injection via out-of-band external entity resolution.

To detect if your system is vulnerable, you can first check the version of Apache CXF in use. If it is older than 4.2.2 or 4.1.7, it is potentially vulnerable.

  • Use commands to identify the Apache CXF version, for example, if using Maven dependencies: mvn dependency:list | grep cxf-core
  • Search your deployed application or server for the presence of vulnerable CXF JAR files and check their versions.

For active detection of the XXE vulnerability, you can attempt to send crafted XML payloads that include external entity references to endpoints using Apache CXF and monitor for out-of-band interactions or error messages indicating external entity resolution.

However, specific detection commands or scripts are not provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart