CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality
Published May 22, 2026
·Updated
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
Affected Software
1 affected component
Apache Apache CXF<4.2.1, <4.1.6, <3.6.11
Event History
May 22, 2026
CVE Published
via MITRE·12:17 PM
Data Sourced
via MITRE·12:17 PM
DescriptionWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-44618?
The severity of CVE-2026-44618 is categorized as risk level 28.
2
How do I fix CVE-2026-44618?
To fix CVE-2026-44618, upgrade to Apache CXF versions 4.2.1, 4.1.6, or 3.6.11.
3
What is the impact of CVE-2026-44618?
CVE-2026-44618 allows attackers to perform XML External Entity (XXE) attacks due to an insecure XML parser configuration in the WS-Transfer functionality.
4
Is my version of Apache CXF affected by CVE-2026-44618?
If you are using a version of Apache CXF older than 4.2.1, 4.1.6, or 3.6.11, you are affected by CVE-2026-44618.
5
What type of vulnerability is CVE-2026-44618?
CVE-2026-44618 is classified as an XXE vulnerability under the CWE category for XML External Entity.