CVE-2026-44618 PUBLISHED

Apache CXF: XXE vulnerability in WS-Transfer functionality

Assigner: apache
Reserved: 07.05.2026 Published: 22.05.2026 Updated: 22.05.2026

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Product Status

Vendor Apache Software Foundation
Product Apache CXF
Versions Default: unaffected
  • affected from 4.2.0 to 4.2.1 (excl.)
  • affected from 4.0.0 to 4.1.6 (excl.)
  • affected from 0 to 3.6.11 (excl.)

Credits

  • Credit to IcySun (icysun@qq.com), 广东东方思维科技有限公司 finder

References

Problem Types

  • CWE-611 Improper Restriction of XML External Entity Reference CWE