Primary

Context

Apache CXF Untrusted JMS Configuration Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A vulnerability exists in Apache CXF's JMS transport component, specifically in versions 4.2.0 prior to 4.2.1, 4.0.0 prior to 4.1.6, and in all versions prior to 3.6.11. The issue arises from an incomplete fix for a previous vulnerability (CVE-2025-48913), where untrusted JMS configurations could lead to remote code execution. The current vulnerability allows code execution capabilities through another path in the code, if untrusted users are permitted to configure JMS for Apache CXF.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the server where Apache CXF is running.

Remediation

Users are advised to upgrade to Apache CXF versions 4.2.1, 4.1.6 or 3.6.11, which address this vulnerability.

Added: May 26, 2026, 4:18 PM

Updated: May 26, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

7.5

exploitability

4.1

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

7.5

exploitability

4.1

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache CXF Untrusted JMS Configuration Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache CXF

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating