Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

CVE-2026-50645: Apache CXF: No restriction on attachment headers per message Colm O hEigeartaigh (Jun 11)
Severity: low

Affected versions:

- Apache CXF (org.apache.cxf:cxf-core) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-core) before 4.1.7

Description:

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by
Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to
upgrade to versions 4.2.2 or 4.1.7, which fix this...

CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry Colm O hEigeartaigh (Jun 11)
Severity: important

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-jose-jaxrs) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-jose-jaxrs) before 4.1.7

Description:

A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that
was not authenticated by the accepted signature. This can bypass the application's assumption

that accepted...

CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl Colm O hEigeartaigh (Jun 11)
Severity: important

Affected versions:

- Apache CXF (org.apache.cxf:cxf-integration-jca) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-integration-jca) before 4.1.7

Description:

A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code
execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation
parameters. Users are...

CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory Colm O hEigeartaigh (Jun 11)
Severity: moderate

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-transports-jms) before 4.1.7

Description:

A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for
Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to
configure JMS for Apache CXF....

CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing Colm O hEigeartaigh (Jun 11)
Severity: low

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass
single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked
refresh token...

CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection Colm O hEigeartaigh (Jun 11)
Severity: low

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate
response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF)
characters....

CVE-2026-50629: Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier Colm O hEigeartaigh (Jun 11)
Severity: low

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages
without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries,
into...

CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control Colm O hEigeartaigh (Jun 11)
Severity: important

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly
allowing requests from any other IP address. Enabling this

security feature inadvertently creates an inverse security...

CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator Colm O hEigeartaigh (Jun 11)
Severity: important

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access
tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different...

CVE-2026-50623: Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService Colm O hEigeartaigh (Jun 11)
Severity: moderate

Affected versions:

- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-rt-rs-security-oauth2) before 4.1.7

Description:

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing
'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed...

CVE-2026-49875: Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils Colm O hEigeartaigh (Jun 11)
Severity: important

Affected versions:

- Apache CXF (org.apache.cxf:cxf-core) 4.2.0 before 4.2.2
- Apache CXF (org.apache.cxf:cxf-core) before 4.1.7

Description:

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the
necessary JAXP hardening configurations, enabling out-of-band (OOB)
external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which...

Re: How to request CVE numbers? Securin Disclose (Jun 11)
Hello,

As a CVE Numbering Authority (CNA), Securin can reserve and assign CVE IDs for
your reported vulnerabilities. Once fixes are available, please share the
complete vulnerability details with us. Our team will review the information and
publish the CVEs accordingly.

Our current turnaround times are:

CVE Assignment: Within 24 hours
Publication to MITRE: Within 48 hours after receiving the required details and
confirming readiness for...

Re: How to request CVE numbers? Hauke Mehrtens (Jun 10)
Thank you all for the help.

We requested CVE numbers on github about 1 week ago here:
https://github.com/openwrt/odhcpd/security/advisories/

We will probably patch the vulnerabilities and also publish them before
we have CVE numbers assigned and just update the advisory later.

Hauke

Re: CVE-2026-45257: FreeBSD kTLS-RX in-place AES-GCM decrypt over sendfile(2) EXTPG mbufs to page-cache write / local root Lucas Holt (Jun 10)
This would also impact MidnightBSD 4.0+

Lucas

CVE-2026-45257: FreeBSD kTLS-RX in-place AES-GCM decrypt over sendfile(2) EXTPG mbufs to page-cache write / local root bumsrakete (Jun 10)
## Summary

An unprivileged local user on a default FreeBSD >= 13.0 system (any
PMAP_HAS_DMAP architecture: amd64, arm64, riscv) can write
attacker-influenced bytes into the page-cache page of any file they can
*read*. The write reaches the backing physical page through the kernel
direct map (DMAP) and never traverses the VFS layer, so it bypasses file
permissions, mount options, and `chflags schg`. This yields a reliable
local privilege...

More Lists

Dozens of other network security lists are archived at SecLists.Org.