CVE-2026-50632— Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory

AI Predicted 7.5 Difficulty: Hard EPSS 0.20% · P42 Updated Jun 13, 2026

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 2

Vendor	Product	Version Range	Status
Apache Software Foundation	Apache CXF	`4.2.0< 4.2.2`	affected
		`< 4.1.7`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory

Source: NVD (National Vulnerability Database)

Vulnerability Description

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

输入验证不恰当

Source: NVD (National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache CXF	4.2.0 ~ 4.2.2	-

II. Public POCs for CVE-2026-50632

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-50632

请登录查看更多情报信息。

Mailing List Discussions for CVE-2026-50632 (1)

🔗 CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory-Apache Mail Archivesvendor-advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-50632

Same Patch Batch · Apache Software Foundation · 2026-06-12 · 11 CVEs total

CVE-2026-50645		Apache CXF: No restriction on attachment headers per message
CVE-2026-50634		Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature ent
CVE-2026-50633		Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
CVE-2026-50631		Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
CVE-2026-50630		Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
CVE-2026-50629		Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
CVE-2026-50628		Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
CVE-2026-50627		Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
CVE-2026-49875		Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointRefer
CVE-2026-50623		Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

IV. Related Vulnerabilities

Same product: Apache CXF

Same vendor: Apache Software Foundation

Same weakness: CWE-20

V. Comments for CVE-2026-50632

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-50632— Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory

Possible ATT&CK Techniques 1AI

Affected Version Matrix 2

I. Basic Information for CVE-2026-50632

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-50632

III. Intelligence Information for CVE-2026-50632

Mailing List Discussions for CVE-2026-50632 (1)

Same Patch Batch · Apache Software Foundation · 2026-06-12 · 11 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-50632

Leave a comment