CVE-2026-50633
Modified
Modified - Updated After Analysis
JNDI Injection in Apache CXF JCA Integration
Vulnerability report for CVE-2026-50633, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-12
Last updated on: 2026-06-30
Assigner: Apache Software Foundation
Description
Description
A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters.Β Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cxf | to 4.1.7 (exc) |
| apache | cxf | From 4.2.0 (inc) to 4.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |