External risk intelligence

Apache CXF XML External Entity Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49875

A vulnerability in Apache CXF allows for external entity resolution, which could lead to sensitive information disclosure or denial of service. This issue arises from how certain classes construct a SAXParserFactory without proper hardening. Given Apache CXF's widespread use in building web services and APIs, systems u

4Halo Surface Signal

XML External Entity Injection

Apache Cxf

before 4.1.74.2.0 to before 4.2.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-49875

Apache CXF is a widely used framework for building web services and APIs. Because these services are frequently deployed as internet-facing endpoints or edge gateways to facilitate communication between distributed systems, the vulnerable components within the library are commonly exposed to network traffic.

PCI scan relevance

PCI Relevance for CVE-2026-49875

Yes

CVE-2026-49875 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A critical XML External Entity (XXE) injection vulnerability exists in Apache CXF that could allow an unauthenticated attacker to read arbitrary files, perform SSRF attacks, or potentially achieve remote code execution. This impacts systems processing XML, making it relevant for

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This CVE addresses a critical vulnerability in Apache CXF, a framework used for building web services and APIs. The issue involves how certain components process external data, potentially allowing unauthorized access or manipulation of systems that utilize this framework. The main concern is to confirm if our deployed services are impacted and understand the potential exposure.

  • Flaw in data processing could allow unauthorized access.
  • Apache CXF is widely used for web services and APIs.
  • Confirm relevance and exposure of deployed services.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to a service built with Apache CXF. This allows them to manipulate how the service processes XML data, leading to sensitive information disclosure, tampering, and potential denial of service.

  • Network access to an exposed service.
  • Triggering XML parsing with malicious input.
  • Remote code execution and data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to trigger external entity resolution when processing XML, potentially exposing sensitive information or leading to denial of service when the affected components are used in specific ways.

  • System data could be exposed.
  • External entity resolution could be triggered.
  • Denial of service is a potential outcome.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The primary responsibility for addressing this vulnerability typically falls to the teams managing the Apache CXF deployments, which could include application owners, platform teams, or infrastructure teams depending on the deployment model. The immediate first step is to inventory all instances of Apache CXF within the environment, confirm their network exposure and business criticality, and then identify the accountable owner for each instance to coordinate remediation efforts based on the assessed risk.

  • Identify affected CXF deployments.
  • Verify network exposure and criticality.
  • Confirm ownership and plan remediation.

Frequently asked questions

What is Apache CXF and how is it used?

Apache CXF is an open-source services framework. Developers use it to build and support web services and APIs, often acting as a bridge for communication between different software systems using protocols like SOAP or REST.

How does CVE-2026-49875 work?

This vulnerability is classified as CWE-611, or Improper Restriction of XML External Entity Reference. It occurs because certain CXF classes process incoming XML data without strict safety configurations, which can trick the system into fetching unauthorized external files or data.

Can any XML request trigger this vulnerability?

Not every XML interaction triggers the flaw. The vulnerability specifically relies on the system processing specially crafted XML input that forces the parser to resolve external entities. Standard, well-formed XML that does not request external resources will not activate this specific path.

Why does Halo Surface Signal flag this as important?

Halo Surface Signal notes that Apache CXF is frequently deployed at the edge of networks to handle service communication. Because these endpoints are often intentionally accessible via the internet, there is a higher likelihood that malicious traffic can reach the vulnerable components.

Do I need to update my Apache CXF deployment?

Yes, if you are running an affected version, you should plan to upgrade to 4.2.2 or 4.1.7. Start by creating an inventory of all services using this framework, confirm which instances are internet-facing, and coordinate with the relevant team to apply the patch.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified