Apache CXF has an LDAP injection vulnerability
Critical severity
GitHub Reviewed
Published
May 26, 2026
to the GitHub Advisory Database
•
Updated Jun 29, 2026
Package
Affected versions
= 4.2.0
>= 4.1.0, < 4.1.6
< 3.6.11
Patched versions
4.2.1
4.1.6
3.6.11
Description
Published by the National Vulnerability Database
May 22, 2026
Published to the GitHub Advisory Database
May 26, 2026
Reviewed
Jun 29, 2026
Last updated
Jun 29, 2026
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.
Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.
References