Security Advisory - Published 2026-06-13 - Apache CXF

Apache CXF June 2026 CVEs: OAuth2, JMS/JCA, signatures, and attachments

Apache CXF deployments using OAuth2 services, JMS/JCA integration, JWS JSON filters, or message attachments should move to 4.2.2 or 4.1.7. The highest-risk items are the JMS/JCA code-execution paths and authentication-sensitive OAuth2 endpoints.

Defensive scope: this page covers version checks, endpoint inventory, configuration review, and patch verification. It does not include request payloads or JNDI/JMS abuse steps.

What to inventory

CVEAreaWhat to check
CVE-2026-50632 / 50633JMS / JCAUntrusted JMS or JCA deployment configuration.
CVE-2026-50623 / 50629 / 50631OAuth2Token introspection, clientId logging, and refresh-token replay behavior.
CVE-2026-50634JWS JSONSigned metadata assumptions in JAX-RS filters.
CVE-2026-50645AttachmentsLarge attachment header counts and deserialization pressure.

Checks to run

grep -R "org.apache.cxf" . -n --include="pom.xml" --include="*.gradle" --include="*.lock"
grep -Rni "TokenIntrospectionService\\|OAuth2\\|JMS\\|JCA\\|JwsJsonContainerRequestFilter" src config WEB-INF 2>/dev/null

Confirm the CXF version from the built artifact as well as the source tree. Java apps often carry old libraries inside WAR/EAR packages even after the build file has been changed.

Safe fix path

  1. Upgrade Apache CXF to 4.2.2 or 4.1.7.
  2. Restrict OAuth2 and admin endpoints while the update is deployed.
  3. Review JMS/JCA descriptors and remove user-controlled deployment paths.
  4. Check logs for forged-looking entries, repeated token introspection access, and attachment-related memory errors.
  5. Redeploy from a clean artifact and verify the runtime classpath.

Ping7 repair path

Ping7 can review CXF dependency state, OAuth2 endpoint exposure, JMS/JCA configuration, and post-patch logs. Use CVE Repair for owned systems or client-approved Java services.

References