CVE-2026-50633

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

12/06/2026

Last modified:

12/06/2026

Description

A JNDI Injection vulnerability has been discovered in Apache CXF&#39;s JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Impact

References to Advisories, Solutions, and Tools

https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf
http://www.openwall.com/lists/oss-security/2026/06/11/10