Copyright © 2012 Red Hat, Inc. All rights reserved.
Important
2026-06-12T09:02:02
apache-cxf: org.apache.cxf/cxf-integration-jca: Apache CXF: Arbitrary code execution via JNDI Injection
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-502
A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
A flaw was found in Apache CXF's JCA integration module. This Java Naming and Directory Interface (JNDI) Injection vulnerability allows for arbitrary code execution. A remote attacker could exploit this by manipulating the Java EE Connector Architecture (JCA) deployment descriptor (ra.xml) or runtime activation parameters, leading to the execution of malicious code on the affected system.
This is an Important vulnerability in Apache CXF's JCA integration module, as shipped in Red Hat products such as JBoss Fuse and Red Hat build of Apache Camel. This JNDI Injection flaw could lead to arbitrary code execution if an attacker successfully manipulates the JCA deployment descriptor or runtime activation parameters. The high attack complexity indicates specific conditions are required for successful exploitation.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Red Hat build of Apache Camel for Spring Boot 4
Affected
cxf-integration-jca
Red Hat Fuse 7
Fix deferred
cxf-integration-jca
Red Hat JBoss Enterprise Application Platform Expansion Pack
Not affected
cxf-integration-jca
https://www.cve.org/CVERecord?id=CVE-2026-50633
https://nvd.nist.gov/vuln/detail/CVE-2026-50633
http://www.openwall.com/lists/oss-security/2026/06/11/10
https://lists.apache.org/thread/1czhgovkgzdkyp3t61wthn0foogh2grf