CVE-2026-50633

Source
https://cve.org/CVERecord?id=CVE-2026-50633
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50633.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50633
Published
2026-06-12T09:02:02.547Z
Modified
2026-07-08T08:13:41.702195424Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
Details

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50633.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.2.0"
                },
                {
                    "fixed": "4.2.2"
                },
                {
                    "fixed": "4.1.7"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.7"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

cxf-2.*
cxf-2.1
cxf-2.1.2
cxf-2.2
cxf-2.2.1
cxf-2.2.2
cxf-2.3.0
cxf-2.4.0
cxf-2.5.0
cxf-2.5.1
cxf-2.6.0
cxf-2.6.1
cxf-2.7.0
cxf-2.7.1
cxf-2.7.2
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone2
cxf-3.1.0
cxf-3.1.1
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.2.0
cxf-3.2.1
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.4.0
cxf-3.4.1
cxf-3.5.0
cxf-4.*
cxf-4.0.0
cxf-4.0.1
cxf-4.0.2
cxf-4.0.3
cxf-4.0.4
cxf-4.1.0
cxf-4.1.1
cxf-4.1.2
cxf-4.1.3
cxf-4.1.4
cxf-4.1.5
cxf-4.1.6
cxf-4.2.0
cxf-4.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50633.json"