Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for Apache CXF to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include CVE-2026-44930, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an XXE flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible remote code execution condition tied to an incomplete fix for an older JMS-related bug.
Affected releases include 4.2.0, 4.0.0 through 4.1.5, and older branches before 3.6.11. Apache published patched versions 4.2.1, 4.1.6, and 3.6.11, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache releases CXF updates fixing three newly disclosed vulnerabilities
The Apache Software Foundation released security updates for Apache CXF addressing three flaws: an LDAP injection issue in the XKMS LDAP certificate repository, an XXE vulnerability in WS-Transfer, and a remote code execution risk caused by an incomplete fix for an older JMS-related bug. Recommended fixed versions are 4.2.1, 4.1.6, and 3.6.11, covering affected 4.2.0, 4.0.0-4.1.5, and older pre-3.6.11 releases.
Apache publicly discloses CXF LDAP injection flaw CVE-2026-44930
Apache CXF publicly disclosed CVE-2026-44930 on the Apache developer mailing list. The flaw affects the XKMS LDAP certificate repository and can let attackers manipulate LDAP queries to retrieve arbitrary digital certificates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026
Apache Syncope Patches XSS and XXE Flaws Enabling Session Hijacking and Data Leakage
The Apache Software Foundation released security updates for *Apache Syncope* to address vulnerabilities that could enable **session hijacking** and **sensitive data exposure** in identity-management deployments. One issue, **CVE-2026-23794**, is a **reflected XSS** flaw in the **Enduser Login** page where an attacker can trick a user into clicking a crafted link, leading to arbitrary JavaScript execution in the victim’s browser and potential theft of session cookies or actions performed as the user. A second issue, **CVE-2026-23795**, is an **XML External Entity (XXE)** vulnerability in the **Syncope Console** related to creating/editing **Keymaster parameters**; it requires an attacker to have (or obtain) administrator-level entitlements, but can then be used to submit malicious XML to trigger data leakage and potentially facilitate session compromise. Reported affected versions include **3.0–3.0.15** and **4.0–4.0.3**, with fixes available in **3.0.16** and **4.0.4**; organizations running impacted releases are advised to upgrade promptly, particularly given Syncope’s role in authentication and access control.
Mar 21, 2026
Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across **Spring Framework**, **Spring Data Commons**, and **Spring LDAP**, including a high-severity authentication bypass tracked as `CVE-2026-41720`. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use `AbstractContextSource`, `LdapTemplate`, or `LdapClient`. Spring also fixed a low-severity WebFlux session fixation issue (`CVE-2026-41839`) tied to compromised subdomains, and an information disclosure bug (`CVE-2026-41841`) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached. Several denial-of-service issues were patched at the same time. In Spring Framework, `CVE-2026-41840` can leak memory through malicious multipart requests in WebFlux, while `CVE-2026-41842` can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, `CVE-2026-41695`, `CVE-2026-41711`, `CVE-2026-41716`, and `CVE-2026-41721` can be triggered by attacker-controlled property paths, sort parameters, property names, or `@ProjectedPayload` data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework `7.0.8`, `6.2.19`, and `6.1.28`, Data Commons `4.0.6` and `3.5.12`, and LDAP `2.4.5`, `3.2.18`, `3.3.8`, or `4.0.4`, with some older branches receiving fixes only through commercial support.
Jun 11, 2026