Security Advisory - Published 2026-06-13 - Apache CXF
Apache CXF June 2026 CVEs: OAuth2, JMS/JCA, signatures, and attachments
Apache CXF deployments using OAuth2 services, JMS/JCA integration, JWS JSON filters, or message attachments should move to 4.2.2 or 4.1.7. The highest-risk items are the JMS/JCA code-execution paths and authentication-sensitive OAuth2 endpoints.
What to inventory
| CVE | Area | What to check |
|---|---|---|
| CVE-2026-50632 / 50633 | JMS / JCA | Untrusted JMS or JCA deployment configuration. |
| CVE-2026-50623 / 50629 / 50631 | OAuth2 | Token introspection, clientId logging, and refresh-token replay behavior. |
| CVE-2026-50634 | JWS JSON | Signed metadata assumptions in JAX-RS filters. |
| CVE-2026-50645 | Attachments | Large attachment header counts and deserialization pressure. |
Checks to run
grep -R "org.apache.cxf" . -n --include="pom.xml" --include="*.gradle" --include="*.lock"
grep -Rni "TokenIntrospectionService\\|OAuth2\\|JMS\\|JCA\\|JwsJsonContainerRequestFilter" src config WEB-INF 2>/dev/null Confirm the CXF version from the built artifact as well as the source tree. Java apps often carry old libraries inside WAR/EAR packages even after the build file has been changed.
Safe fix path
- Upgrade Apache CXF to 4.2.2 or 4.1.7.
- Restrict OAuth2 and admin endpoints while the update is deployed.
- Review JMS/JCA descriptors and remove user-controlled deployment paths.
- Check logs for forged-looking entries, repeated token introspection access, and attachment-related memory errors.
- Redeploy from a clean artifact and verify the runtime classpath.
Ping7 repair path
Ping7 can review CXF dependency state, OAuth2 endpoint exposure, JMS/JCA configuration, and post-patch logs. Use CVE Repair for owned systems or client-approved Java services.