PatchSiren cyber security CVE debrief
CVE-2026-50633 Apache Software Foundation CVE debrief
CVE-2026-50633 is a HIGH severity vulnerability in Apache CXF's JCA integration module. The vulnerability is caused by a JNDI Injection issue, which can allow for code execution if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
- Vendor
- Apache Software Foundation
- Product
- Apache CXF
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Apache CXF's JCA integration module, particularly those who have not upgraded to versions 4.2.2 or 4.1.7.
Technical summary
A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Apache CXF version 4.2.2 or 4.1.7 to fix the JNDI Injection vulnerability.
Evidence notes
The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. The CVE was published on 2026-06-12T10:16:23.297Z and last modified on 2026-06-12T18:53:11.240Z.
Official resources
-
CVE-2026-50633 CVE record
CVE.org
-
CVE-2026-50633 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-50633 was published on 2026-06-12T10:16:23.297Z and last modified on 2026-06-12T18:53:11.240Z.