How is CVE-2026-50632 exploited?

Network reachability (required): The vulnerable component is exposed over the network, so an attacker must be able to reach the Apache CXF service across the internet or an internal network. Authentication (not-required): No credentials or account are needed to attempt exploitation; the attacker can interact with the service as an anonymous user. Victim interaction (not-required): No user action or social engineering is required; the attacker can trigger the vulnerability without any participation from a legitimate user. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or race conditions, such as having the ability to supply or influence untrusted JMS configuration for the CXF instance.

What is the impact of CVE-2026-50632?

A successful attacker executes arbitrary code on the server hosting Apache CXF, gaining full control of that process. Confidential data accessible to the CXF process, including credentials, session tokens, and application records, can be read directly. The attacker can modify or delete persisted data and application state managed by the compromised service. The exploited service and any dependent services it calls can be crashed or made unavailable.

Back to search

HIGHCVE-2026-50632Published 2026-06-12Modified 2026-06-13CNA apache

CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

A JNDI injection vulnerability (an incomplete fix for a prior remote code execution advisory, CVE-2026-44417) affects Apache CXF versions before 4.1.7 and before 4.2.2. The flaw is reachable over the network without any authentication, though exploitation requires overcoming high attack complexity, and it allows an attacker who can influence JMS configuration to execute arbitrary code on the host. A patched-image rebuild at versions 4.1.7 and 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Apache CXF.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector and can weight findings against each customer organization's per-environment compliance policy, routing alerts to the appropriate team inbox for review.

Available

Patch

A patched-image rebuild at Apache CXF versions 4.1.7 or 4.2.2 becomes available on HarborGuard for any image found running an affected release. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, so an attacker must be able to reach the Apache CXF service across the internet or an internal network.
AuthenticationNot required
No credentials or account are needed to attempt exploitation; the attacker can interact with the service as an anonymous user.
Victim interactionNot required
No user action or social engineering is required; the attacker can trigger the vulnerability without any participation from a legitimate user.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or race conditions, such as having the ability to supply or influence untrusted JMS configuration for the CXF instance.

Blast Radius

A successful attacker executes arbitrary code on the server hosting Apache CXF, gaining full control of that process.
Confidential data accessible to the CXF process, including credentials, session tokens, and application records, can be read directly.
The attacker can modify or delete persisted data and application state managed by the compromised service.
The exploited service and any dependent services it calls can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50632 is active across all connected customer environments, matching against any image that packages an affected Apache CXF release (4.0.x through before 4.1.7, or 4.2.0 through before 4.2.2). For environments with auto-remediation enabled, HarborGuard can rebuild affected images at the fixed versions (4.1.7 or 4.2.2), execute a regression test run against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in such environments. Where compliance policy requires manual approval, the rebuild artifact and test results are staged and the finding is routed to the responsible team for sign-off. Because this CVE represents an incomplete fix for a prior RCE advisory (CVE-2026-44417), teams that already patched for the earlier advisory should verify their images have been rebuilt at the newly required minimum versions.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available