These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-62198 is an authenticated user cross-site scripting (XSS) vulnerability in Apache Atlas versions 2.4.0 and earlier. The issue allows an authenticated user to perform XSS. Defenders should assess their exposure and prioritize upgrading to version 2.5.0, which fixes the issue. This vulnerability has a significant impact on the security posture of affected systems, and defenders should take immediat [truncated]
CVE-2026-49872 is an Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate with credentials from a different source. This issue affects Apache APISIX versions from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. The CVSS score is 5.3, indicating a medium severity vulnerabil [truncated]
CVE-2026-49871 is a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin of Apache APISIX. Under default configurations, a remote attacker can send a victim to a controlled webpage, causing the victim's browser to become authenticated as a different identity. Actions taken by the victim are then attributed to the attacker's identity. This issue affects Apache APISIX versions from 3.0.0 t [truncated]
CVE-2026-49231 is an Authentication Bypass by Spoofing vulnerability in the opa plugin of Apache APISIX. An attacker could relay spoofed identity headers to the upstream service, assuming higher privileges, due to non-default configuration. Affected versions are from 3.5.0 through 3.16.0. Users should upgrade to version 3.17.0. This issue has a CVSS score of 2.3 and is considered LOW severity.
CVE-2026-49230 is a MEDIUM-severity vulnerability in Apache APISIX, affecting versions from 3.8.0 through 3.16.0. The issue lies in the jwe-decrypt plugin, which under default configuration, is vulnerable to authentication bypass. Defenders should prioritize upgrading to version 3.17.0, which fixes the issue. This vulnerability has a CVSS score of 6.3, indicating moderate risk.
CVE-2026-48895 is an Open Redirect vulnerability in Apache APISIX, a popular open-source API gateway. An attacker could manipulate client headers to perform an open redirect, potentially exposing the session token. This issue affects Apache APISIX versions from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. The CVSS score for this vulnerability is 2.1, ind [truncated]
CVE-2026-47341 is a medium-severity Authentication Bypass by Capture-replay vulnerability in Apache APISIX. The issue arises from certain configurations in hmac-auth, allowing an attacker to reuse a token indefinitely and bypass expiry. This vulnerability affects Apache APISIX versions from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0 to fix the issue. The CVSS score for this [truncated]
CVE-2026-44087 is a MEDIUM-severity vulnerability in Apache APISIX's openid-connect plugin. Under default configuration, an attacker can spoof identity headers to access protected resources without authorization. This Insufficient Verification of Data Authenticity issue affects Apache APISIX versions from 2.3 to 3.16.0. Defenders should prioritize upgrading to version 3.17.0, which fixes the issue. The vu [truncated]
CVE-2026-44046 is a low-severity vulnerability in Apache APISIX, affecting versions from 1.2.0 through 3.16.0. The issue allows attackers to potentially pollute logs with spoofed identity information and exploit IP-based access control rules using the wolf-rbac plugin under default configuration. Defenders should assess their exposure and prioritize upgrading to version 3.17.0, which fixes the issue. The [truncated]
CVE-2026-39998 is a MEDIUM-severity Improper Input Validation vulnerability in Apache APISIX, affecting versions from 2.12.0 through 3.16.0. An attacker can exploit certain configurations in the forward-auth plugin to spoof identity headers. Users should upgrade to version 3.17.0 to fix the issue. This vulnerability has a CVSS score of 5.8 and was published on June 19, 2026.
CVE-2026-42357 is a medium-severity vulnerability in Apache DolphinScheduler that allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. The vulnerability has a CVSS score of 6.5 and is classified as CWE-86 [truncated]
CVE-2026-41280 is a MEDIUM-severity vulnerability in Apache DolphinScheduler, affecting versions prior to 3.4.2. The issue allows users with system login privileges to delete task definitions in unauthorized projects, posing a risk to data integrity and project management. Users should upgrade to version 3.4.2, which fixes this issue. This vulnerability has a CVSS score of 4.9 and is categorized under CWE [truncated]
CVE-2026-32967 is a critical Incorrect Authorization vulnerability in Apache DolphinScheduler's `/v2` experimental interface. The issue affects all versions before 3.4.2 and has a CVSS score of 9.1. Users should upgrade to version 3.4.2 to fix the issue. This vulnerability allows unauthorized access, potentially leading to data breaches or system compromise. Organizations using Apache DolphinScheduler sho [truncated]
Apache DolphinScheduler versions before 3.4.2 are vulnerable to a critical issue (CVSS 9.8) due to a missing authorization check in the DataSource API. This oversight allows for arbitrary data source metadata disclosure. The vulnerability, tracked as CVE-2026-32966, was made public on June 17, 2026. Users of affected versions are strongly advised to upgrade to version 3.4.2, which addresses this issue. Th [truncated]
CVE-2026-50645 is a HIGH severity vulnerability in Apache CXF, with a CVSS score of 7.5. The vulnerability occurs because there is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this i [truncated]
A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted 'Content-Type' or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are re [truncated]
CVE-2026-50633 is a HIGH severity vulnerability in Apache CXF's JCA integration module. The vulnerability is caused by a JNDI Injection issue, which can allow for code execution if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
CVE-2026-50632 is a HIGH-severity vulnerability (CVSS Score: 8.1) in Apache CXF, which is an incomplete fix for a previous advisory CVE-2026-44417. This vulnerability can allow code execution capabilities if untrusted users are allowed to configure JMS for Apache CXF. The issue was published on 2026-06-12T10:16:23.183Z and last modified on 2026-06-12T18:58:03.547Z.
CVE-2026-50631 is a HIGH severity vulnerability in Apache CXF's AbstractOAuthDataProvider. A race condition allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens when 'recycleRefreshTokens' is set to false. This can be exploited if a refresh token is leaked and replayed concurrently by multiple attackers or threads. Users are recom [truncated]
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class of Apache CXF. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely.
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files.
CVE-2026-50628 is a vulnerability caused by a logic error in OAuthRequestFilter. This error leads to the filter rejecting legitimate requests that originate from the bound IP address, while it blindly allows requests from any other IP address. As a result, enabling this security feature inadvertently creates an inverse security check, potentially exposing systems to unauthorized access.
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However, note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are re [truncated]
CVE-2026-49875 is a vulnerability in Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes. These classes construct a SAXParserFactory without the necessary JAXP hardening configurations, which enables out-of-band (OOB) external entity resolution. This vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-49875) and last modified on [cveModifiedAt](https [truncated]
CVE-2026-47342 is a high-severity privilege escalation vulnerability in Apache OFBiz. The vulnerability allows a low-privileged authenticated user to obtain higher privileges. This issue affects Apache OFBiz versions before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. The CVSS score for this vulnerability is 8.8, indicating a high severity.
The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitra [truncated]
CVE-2026-49975 is a HIGH severity vulnerability in EasyApache 4, with a CVSS score of 7.5. The vulnerability allows attackers to craft malicious HTTP/2 cookie headers that can multiply across streams, consuming excessive memory. The fix makes cookie headers count against LimitRequestFields. Note that HTTP/2 is not enabled by default in cPanel configurations.
Apache Fesod (Incubating) fesod-sheet versions prior to 2.0.2-incubating contain a Server-Side Request Forgery (SSRF) vulnerability in the UrlImageConverter component. The flaw allows attackers to supply arbitrary image URLs that trigger outbound network requests from the server to internal or restricted resources. This can enable unauthorized access to internal services, cloud metadata endpoints, or othe [truncated]
Apache Fluss (incubating) versions 0.8.0 and 0.9.0 contain a denial-of-service vulnerability in the Netty-based network layer. The LengthFieldBasedFrameDecoder is configured with Integer.MAX_VALUE as the maximum frame length, permitting unauthenticated remote attackers to exhaust JVM heap memory on both TabletServer and CoordinatorServer components by sending crafted frame headers. The vulnerability was d [truncated]
A vulnerability in Apache Airflow's KubernetesExecutor exposes JWT authentication tokens through worker pod command-line arguments, enabling privilege escalation for attackers with Kubernetes read-only access in the Airflow namespace. The flaw affects deployments using KubernetesExecutor and requires complementary fixes on both the core Airflow platform and the CNCF Kubernetes provider.
An unauthenticated information disclosure vulnerability exists in Apache ActiveMQ Broker, Apache ActiveMQ, and Apache ActiveMQ All. Brokers configured with a network connector and syncDurableSubs enabled incorrectly respond to BrokerInfo commands without requiring authentication, exposing durable topic subscription metadata including client identifiers, subscription names, topic destinations, and JMS sele [truncated]
Apache Airflow's core email utilities fail to verify SMTP server certificates during STARTTLS negotiation, enabling network-positioned attackers to intercept credentials and message contents via forged certificates. This CVE addresses the core `apache-airflow` package, complementing the prior SMTP-provider fix in CVE-2026-41016 (2026-04-27). Affected configurations use `[email] smtp_starttls=True` without [truncated]
Apache ActiveMQ contains an Incorrect Default Permissions vulnerability (CWE-276) in its Jolokia authorization configuration. The default settings grant non-administrative web-login accounts access to privileged broker management operations—including addQueue and removeQueue—that are intended for administrative users only. This authorization bypass allows low-privilege authenticated attackers to execute a [truncated]
A path traversal vulnerability in Apache MINA SSHD's sshd-git bundle allows authenticated SSH users to access git repositories outside the configured git server root directory. The flaw stems from missing path validation in git-upload-pack, git-receive-pack, and other git operations. Only applications using the org.apache.sshd:sshd-git artifact are affected; applications not using sshd-git are not vulnera [truncated]
A residual authentication flaw in Apache Airflow's logout handling allows previously-issued JWT tokens to remain valid after a user clicks logout in the UI. The vulnerability specifically affects deployments using FabAuthManager or KeycloakAuthManager, where the logout flow fails to reach the underlying `revoke_token()` call. This leaves JWT tokens accepted by the API server until their natural expiration [truncated]
An authorization inconsistency in Apache Airflow's Event Log API allows authenticated users with audit-log read permission for one DAG to retrieve audit-log entries for any other DAG by directly accessing the detail endpoint with a numeric event log ID. The collection endpoint (`GET /api/v2/eventLogs`) correctly applies per-DAG scoping, but the detail endpoint (`GET /api/v2/eventLogs/{event_log_id}`) only [truncated]
Incomplete authorization in Apache ActiveMQ allows authenticated users with destination removal permissions to remove existing destinations due to missing authorization checks. The vulnerability affects Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ core packages in versions before 5.19.7 and from 6.0.0 before 6.2.6. The issue was published on 2026-06-01 and is currently undergoing analy [truncated]
Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ are affected by an improper input validation and code injection vulnerability. Non-parenthesized discovery wrappers—specifically `masterslave:vm://...,...` and `static:vm://...`—incorrectly pass validation, bypassing the fix for CVE-2026-34197. An authenticated attacker with access to the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console can inv [truncated]
CVE-2026-45426 is an authorization bypass in Apache Airflow's Log server that allows authenticated workers with a valid per-Dag JWT to access worker logs of other Dags. The root cause is a misuse of Python's `str.lstrip()` for path-prefix validation: `lstrip()` removes any combination of the specified characters from the left of a string rather than matching an exact prefix. A JWT issued for Dag `dag_a` w [truncated]
Apache Airflow's scheduler-side `SerializedCustomReference.deserialize_reference` method deserializes arbitrary class paths from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. In deployments where the DAG bundle is importable from the scheduler process—including default single-host configurations—a DAG author can embed a malicious `DeadlineReference` whose serialized [truncated]
Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 contain hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable). When administrators use this tool to bootstrap BasicAuth, the tool silently installs publicly known default credentials for template users (superadmin, admin, search, index) alongside the user-specified account. A remote attacker can leverage these well-known de [truncated]
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on its web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the 'ma [truncated]
A vulnerability in Apache Airflow's rendered-template field handling allows nested sensitive-key masking to be bypassed when rendered fields exceed the configured `[core] max_templated_field_length` threshold. When this limit is exceeded, Airflow stringifies the JSON structure before applying redaction, causing nested keys such as `password`, `token`, `secret`, and `api_key` to lose their contextual maski [truncated]
A fix-bypass vulnerability in Apache Airflow's XCom PATCH endpoint allows authenticated users with XCom write permissions to set reserved key names (e.g., `return_value`) that were blocked in the POST endpoint by the `FORBIDDEN_XCOM_KEYS` validator added in CVE-2026-33858. The PATCH endpoint's missing validation, combined with acceptance of serialized payload shapes that the triggerer's deserializer treat [truncated]
A residual information disclosure vulnerability in Apache Airflow's Variable response masker allows authenticated users with Variable read permission to retrieve plaintext secrets from deeply-nested JSON Variables when nesting depth exceeds the shared secrets masker's recursion limit. The masker returns the original nested item before checking for sensitive key-name suffixes (e.g., password, token, secret [truncated]
Apache ActiveMQ's MessageServlet copies all JMS message properties into HTTP response headers without validation, enabling header injection and security header manipulation. The vulnerability affects ActiveMQ before 5.19.7 and versions 6.0.0 through 6.2.5, as well as Apache ActiveMQ Web in the same ranges. The MessageServlet has been deprecated and disabled by default in the fixed versions.
CVE-2026-42252 documents a documentation-pattern vulnerability in Apache Airflow where the official documentation at `core-concepts/dag-run.html` presented a `BashOperator` example using `dag_run.conf` values without shell-quoting or sanitization warnings. DAG authors who copied this verbatim pattern into production deployments exposed trigger-authorized users to shell metacharacter injection via the `con [truncated]
A CWE-639 authorization bypass in Apache Airflow's bulk Task Instances API allows authenticated users with edit permission on one DAG to mutate Task Instance state in any other DAG. The vulnerability exists because the `PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances` endpoint evaluates authorization against the `dag_id` in the URL path while applying mutations to `dag_id` and `dag_r [truncated]
Apache Airflow's JWTRefreshMiddleware fails to set the Secure flag on JWT authentication cookies, exposing session tokens to cleartext transmission in deployments using TLS-terminating reverse proxies. When the Airflow API server sits behind an HTTPS-terminating proxy (nginx, Envoy, managed load balancers) that forwards plaintext HTTP to the backend, the middleware's omission of the Secure attribute cause [truncated]