CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
Published May 22, 2026
·Updated
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Affected Software
1 affected component
Apache Apache CXF<4.2.1, <4.1.6, <3.6.11
Event History
May 22, 2026
CVE Published
via MITRE·12:17 PM
Data Sourced
via MITRE·12:17 PM
DescriptionWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-44417?
The severity of CVE-2026-44417 is rated as 28, indicating a significant risk level.
2
How do I fix CVE-2026-44417?
To fix CVE-2026-44417, upgrade to Apache CXF versions 4.2.1 or later.
3
What does CVE-2026-44417 exploit?
CVE-2026-44417 exploits an incomplete fix related to untrusted JMS configuration in Apache CXF.
4
What are the potential consequences of CVE-2026-44417?
CVE-2026-44417 can lead to remote code execution if untrusted users can configure JMS.
5
Is CVE-2026-44417 related to any other vulnerabilities?
Yes, CVE-2026-44417 is related to an incomplete fix of CVE-2025-48913.