CVE-2026-44417, CVE-2026-44618, CVE-2026-44930

Data: 2026-05-22

Severity: Critical

CVSS Score:

• CVE-2026-44417: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

• CVE-2026-44618: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

• CVE-2026-44930: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Nota

La severity e i CVSS Score si riferiscono alle vulnerabilità delle librerie; come descritto nella sezione GovWay le vulnerabilità non si manifestano nel prodotto.

Riferimenti:

• https://nvd.nist.gov/vuln/detail/CVE-2026-44417

• https://nvd.nist.gov/vuln/detail/CVE-2026-44618

• https://nvd.nist.gov/vuln/detail/CVE-2026-44930

• https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o

• https://lists.apache.org/thread/c7vb015f8ljmjl44030mn0yfq71f7sd7

• https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh

Libreria: org.apache.cxf:* <= 4.2.0

Descrizione

1. [CVE-2026-44417] CWE-20: Improper Input Validation

The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

2. [CVE-2026-44618] CWE-611: Improper Restriction of XML External Entity Reference

Insecure XML parser configuration in Apache CXF’s WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

3. [CVE-2026-44930] CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (“LDAP Injection”)

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue.

GovWay

Le tre vulnerabilità interessano componenti di Apache CXF che non fanno parte della distribuzione di GovWay, il quale utilizza esclusivamente il core CXF e i runtime JAX-WS/JAX-RS su trasporto HTTP (oltre al modulo JOSE per la sicurezza dei messaggi):

• CVE-2026-44930 riguarda il server XKMS di CXF (modulo cxf-services-xkms), non presente in GovWay;

• CVE-2026-44417 riguarda la configurazione del trasporto JMS di CXF (modulo cxf-rt-transports-jms), non utilizzato da GovWay;

• CVE-2026-44618 riguarda il modulo WS-Transfer di CXF (cxf-ws-transfer), non presente in GovWay.

Per questi motivi le vulnerabilità non si manifestano nel prodotto.

Ciò premesso, la libreria verrà comunque aggiornata nei prossimi rilasci.

Versione affette:

• 3.3.x: <= 3.3.19.p1

• 3.4.x: <= 3.4.2.p1

Risoluzione:

• 3.3.x: 3.3.20

• 3.4.x: 3.4.3