PatchSiren cyber security CVE debrief
CVE-2026-50632 Apache Software Foundation CVE debrief
CVE-2026-50632 is a HIGH-severity vulnerability (CVSS Score: 8.1) in Apache CXF, which is an incomplete fix for a previous advisory CVE-2026-44417. This vulnerability can allow code execution capabilities if untrusted users are allowed to configure JMS for Apache CXF. The issue was published on 2026-06-12T10:16:23.183Z and last modified on 2026-06-12T18:58:03.547Z.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF who allow untrusted users to configure JMS are potentially affected by this vulnerability.
Technical summary
The vulnerability is caused by an incomplete fix for a previous advisory CVE-2026-44417, which allowed for Remote Code Execution (RCE) due to untrusted JMS configuration in Apache CXF. This issue can be mitigated by upgrading to versions 4.2.2 or 4.1.7 of Apache CXF.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Apache CXF version 4.2.2 or 4.1.7 to fix this issue.
- Restrict JMS configuration to trusted users only.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about this vulnerability. A vendor advisory [ref-4] is also available for mitigation guidance.
Official resources
-
CVE-2026-50632 CVE record
CVE.org
-
CVE-2026-50632 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-50632 was published on 2026-06-12T10:16:23.183Z and last modified on 2026-06-12T18:58:03.547Z.