How is CVE-2026-50633 exploited?

Network reachability (required): The vulnerable component is exposed over the network, meaning an attacker must be able to reach the CXF service remotely to attempt exploitation. Authentication (not-required): No credentials or account are needed; the attacker can interact with the service as an unauthenticated party. Victim interaction (not-required): Exploitation does not depend on any action by a user or administrator on the target system. Attack complexity (info): Exploitation is rated High complexity because the attacker must be able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters, which requires specific preconditions beyond a simple unauthenticated request.

What is the impact of CVE-2026-50633?

A successful attacker achieves remote code execution on the host running the affected Apache CXF instance. Confidential data accessible to the CXF process, including secrets, credentials, and application data, is readable by the attacker. The attacker can write or modify files and application state on the host, including persisted data and configuration. The attacker can crash or destabilize the CXF service and any dependent workloads, causing a service outage.

Back to search

HIGHCVE-2026-50633Published 2026-06-12Modified 2026-06-13CNA apache

CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

A JNDI injection vulnerability exists in Apache CXF's JCA integration module, specifically in the DispatchMDBMessageListenerImpl component. The flaw is reachable over the network without authentication, though exploitation requires the attacker to manipulate a JCA deployment descriptor (ra.xml) or runtime activation parameters, adding a layer of complexity. Successful exploitation enables full remote code execution on the host running the affected CXF instance. A patched-image rebuild at versions 4.1.7 or 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Apache and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache CXF, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine escalation priority. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Apache CXF versions 4.1.7 or 4.2.2 becomes available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker must be able to reach the CXF service remotely to attempt exploitation.
AuthenticationNot required
No credentials or account are needed; the attacker can interact with the service as an unauthenticated party.
Victim interactionNot required
Exploitation does not depend on any action by a user or administrator on the target system.
Attack complexityDetail
Exploitation is rated High complexity because the attacker must be able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters, which requires specific preconditions beyond a simple unauthenticated request.

Blast Radius

A successful attacker achieves remote code execution on the host running the affected Apache CXF instance.
Confidential data accessible to the CXF process, including secrets, credentials, and application data, is readable by the attacker.
The attacker can write or modify files and application state on the host, including persisted data and configuration.
The attacker can crash or destabilize the CXF service and any dependent workloads, causing a service outage.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50633 is active across all scanning environments, matching images that bundle any Apache CXF version in the affected range (all versions below 4.1.7, and 4.2.0 through versions below 4.2.2). Where compliance policy permits, HarborGuard can rebuild affected images at the patched versions (4.1.7 for the 4.1.x line, 4.2.2 for the 4.2.x line). For customers with auto-remediation enabled, the full flow is available: image rebuild, regression-test run, and a PR opened against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who cannot immediately rebuild are encouraged to apply network policy controls that restrict which hosts can deliver JCA deployment descriptors or interact with the CXF JCA integration endpoint, reducing the attacker's ability to satisfy the manipulation precondition required for exploitation.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available