CVE-2026-50645

CVE-2026-50645: Apache CXF: No restriction on attachment headers per message

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-400

Published June 12, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.

Key dates

Disclosure timeline

June 12, 2026 CVE published

June 12, 2026 Record updated

Identifiers

CVE CVE-2026-50645

CWE CWE-400

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 4.2.0 and < 4.2.2

Vendor Apache Software Foundation

Product Apache CXF

Affected < 4.1.7