Apache CXF Flaws Expose Apps to Spoofing, JNDI Injection
A Wave of Critical Flaws Hits Apache CXF
The Apache CXF project has disclosed five new vulnerabilities affecting widely used Java web service components. Apache CXF security teams rated each issue as important. Together, these flaws touch JSON signature validation, JNDI deployment descriptors, OAuth2 access control, and XML parsing.
Organizations running Apache CXF before version 4.2.2, or before 4.1.7 on the older branch, should review their deployments closely. Several modules are affected, including cxf-rt-rs-security-jose-jaxrs, cxf-integration-jca, cxf-rt-rs-security-oauth2, and cxf-core.
Signature and Header Trust Issues (CVE-2026-50634)
The first flaw involves the JwsJsonContainerRequestFilter component. This filter can process metadata that was never verified by the accepted signature. As a result, applications may trust a Content-Type or protected header that an attacker controls. Consequently, downstream JAX-RS parsing logic could be misled by unauthenticated data.
JNDI Injection in the JCA Module (CVE-2026-50633)
Next, a JNDI injection flaw affects the JCA integration module. If an attacker manipulates the ra.xml deployment descriptor or runtime activation parameters, this could lead to remote code execution. Therefore, teams using message-driven beans through CXF should treat this as a priority fix.
OAuth2 IP Binding and Token Validation Flaws (CVE-2026-50628, CVE-2026-50627)
Meanwhile, two separate OAuth2 issues compound the risk. First, an inverted IP binding check in OAuthRequestFilter rejects legitimate requests while allowing requests from unbound addresses. Second, JwtAccessTokenValidator fails to check the audience and issuer claims on incoming tokens. Because of this gap, a token issued for one resource server could be replayed against another, enabling token confusion attacks.
XXE Risk in Core Parsing Utilities (CVE-2026-49875)
Additionally, EndpointReferenceUtils and W3CMultiSchemaFactory build SAXParserFactory instances without proper JAXP hardening. This gap allows out-of-band XML external entity resolution. Attackers could potentially exfiltrate data or trigger requests to internal systems.
Remediation Guidance
For all five issues, the fix is the same. Upgrade Apache CXF to version 4.2.2, or to 4.1.7 for those on the older line. Given the breadth of affected modules, a full dependency audit is strongly advised.
Administrators can find further technical guidance and advisories by visiting the official Apache CXF security advisories page. Staying current with these updates remains the best defense against exploitation.
Final Thoughts
These five issues highlight how layered security controls can fail in subtle ways. Apache CXF users should act quickly to patch affected modules. Regular dependency reviews can help catch similar gaps before attackers find them.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
