How is CVE-2026-50645 exploited?

Network reachability (required): The vulnerable deserialization path is exposed over the network, so an attacker must be able to send HTTP or SOAP requests to the CXF service endpoint. Authentication (not-required): No credentials or session token are needed; the malicious attachment header payload can be submitted by any unauthenticated caller. Victim interaction (not-required): No user action or social engineering is required; the attacker sends a crafted request directly to the server. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions or special environmental setup beyond network access to the service.

What is the impact of CVE-2026-50645?

The affected service exhausts available memory or CPU processing time while parsing unbounded attachment headers, crashing or hanging the CXF process. Legitimate clients lose access to any functionality hosted by the affected CXF endpoint for the duration of the attack. Depending on deployment topology, resource exhaustion on a shared host can degrade or bring down co-located services that share the same JVM or container.

Back to search

HIGHCVE-2026-50645Published 2026-06-12Modified 2026-06-12CNA apache

CVE-2026-50645: Apache CXF: No restriction on attachment headers per message

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 4.1.7
Affected Products: 1

HarborGuard Analysis

Synopsis

An uncontrolled resource consumption vulnerability affects Apache CXF versions prior to 4.1.7 and 4.2.0 through earlier than 4.2.2. The flaw is reachable over the network without any authentication, and stems from no upper limit on the number of attachment headers that CXF will process when deserializing an incoming message. A remote attacker can exploit this by sending a crafted request with an excessive number of attachment headers, exhausting server resources and causing a denial of service. Patched-image rebuilds at versions 4.1.7 and 4.2.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50645 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. This coverage extends to custom-built images that bundle Apache CXF, not just official base images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting that score against each customer environment's compliance policy to determine urgency. Triage alerts can be routed to the appropriate team inbox within a customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Apache CXF 4.1.7 or 4.2.2 becomes available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization path is exposed over the network, so an attacker must be able to send HTTP or SOAP requests to the CXF service endpoint.
AuthenticationNot required
No credentials or session token are needed; the malicious attachment header payload can be submitted by any unauthenticated caller.
Victim interactionNot required
No user action or social engineering is required; the attacker sends a crafted request directly to the server.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental setup beyond network access to the service.

Blast Radius

The affected service exhausts available memory or CPU processing time while parsing unbounded attachment headers, crashing or hanging the CXF process.
Legitimate clients lose access to any functionality hosted by the affected CXF endpoint for the duration of the attack.
Depending on deployment topology, resource exhaustion on a shared host can degrade or bring down co-located services that share the same JVM or container.

How HarborGuard Handles This

Available on HarborGuard: images containing Apache CXF versions affected by CVE-2026-50645 are eligible for an automatic rebuild at the fixed versions (4.1.7 for the 4.1.x line, 4.2.2 for the 4.2.x line). For customers who opt into auto-remediation, the typical flow is a rebuilt image, a regression test run, and a pull request opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 7.5 HIGH severity and fix version details so engineers can act manually. As an immediate compensating control while a rebuild is prepared, network policy rules that restrict which upstream clients can reach the CXF service endpoint will reduce the attack surface by limiting who can send the oversized attachment-header payloads.

See how HarborGuard automates this

Fix available

4.1.74.2.2

Affected packages

Apache Software Foundation / Apache CXF
< 4.2.2 (from 4.2.0) · < 4.1.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available