{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44930","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-05-08T10:39:48.240Z","datePublished":"2026-05-22T12:16:47.230Z","dateUpdated":"2026-06-30T03:18:01.336Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap","product":"Apache CXF","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.2.1","status":"affected","version":"4.2.0","versionType":"semver"},{"lessThan":"4.1.6","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"3.6.11","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository.&nbsp;<br>Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue."}],"value":"An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. \nUsers are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-90","description":"CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-05-22T12:16:47.230Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh"}],"source":{"discovery":"UNKNOWN"},"title":"Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":4.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-05-22T17:24:05.903573Z","id":"CVE-2026-44930","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-22T17:24:09.053Z"}},{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/22/9"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-05-22T21:26:22.941Z"}},{"affected":[{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"datePublic":"2026-05-22T12:16:47.230Z","descriptions":[{"lang":"en","value":"A flaw was found in Apache CXF. A remote attacker could exploit an LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server. This vulnerability allows the attacker to retrieve arbitrary certificates from the repository, leading to information disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-90","description":"Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-44930"},{"name":"RHBZ#2480728","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480728"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44930.json"}],"timeline":[{"lang":"en","time":"2026-05-22T13:00:51.621Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-22T12:16:47.230Z","value":"Made public."}],"title":"apache-cxf: org.apache.cxf.services.xkms/cxf-services-xkms-x509-repo-ldap: Apache CXF: Information Disclosure via LDAP Injection","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T03:18:01.336Z"}}]}}