Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

Basic Information

ID CVE-2026-44930

Source apache

Published May 22, 2026 at 12:16

Modified May 22, 2026 at 17:24

Affected Product

Vendor Apache Software Foundation

Product Apache CXF

Version 4.2.0

Affected Versions Apache Software Foundation Apache CXF 4.2.0
Apache Software Foundation Apache CXF 4.0.0
Apache Software Foundation Apache CXF 0

CWE Classification

CWE-90

References

lists.apache.org /thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh

{
    "lastseen": "",
    "description": "An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.\u00a0\nUsers are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.",
    "published": "2026-05-22T12:16:47.230Z",
    "modified": "2026-05-22T17:24:09.053Z",
    "type": "cve",
    "title": "Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository",
    "source": "apache",
    "references": "https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh",
    "id": "CVE-2026-44930",
    "bulletinFamily": "",
    "cwe": [
        "CWE-90"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CXF 4.2.0\nApache Software Foundation Apache CXF 4.0.0\nApache Software Foundation Apache CXF 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CXF",
    "version": "4.2.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository_CVE-2026-44930