For information on how to report a new security problem please see here. 

2026

  • CVE-2026-44417: Apache CXF:Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
  • CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality
  • CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
  • CVE-2026-49875: Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils 
  • CVE-2026-50623: Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService
  • CVE-2026-50627: Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
  • CVE-2026-50628: Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
  • CVE-2026-50629: Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
  • CVE-2026-50630: Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection 
  • CVE-2026-50631: Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
  • CVE-2026-50632: Apache CXF: JNDI Injection Vulnerability in JMSConfigFactory
  • CVE-2026-50633: Apache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImpl
  • CVE-2026-50634: Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
  • CVE-2026-50645: Apache CXF: No restriction on attachment headers per message

2025

  • CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files 
  • CVE-2025-48795: Apache CXF: Denial of Service and sensitive data exposure in logs 
  • CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE 

2024

2022

2021

  • CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
  • CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks

2020

  • CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
  • CVE-2020-1954: Apache CXF JMX Integration is vulnerable to a MITM attack

2019

  • CVE-2019-17573: Apache CXF Reflected XSS in the services listing page
  • CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore
  • CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId
  • CVE-2019-12406: Apache CXF does not restrict the number of message attachments

2018

  • CVE-2018-8039: Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.
  • CVE-2018-8038: Apache CXF Fediz is vulnerable to DTD based XML attacks

2017

  • CVE-2017-12631: CSRF vulnerabilities in the Apache CXF Fediz Spring plugins.
  • CVE-2017-12624: Apache CXF web services that process attachments are vulnerable to Denial of Service (DoS) attacks.
  • CVE-2017-7662: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF attacks.
  • CVE-2017-7661: The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.
  • CVE-2017-5656: Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.
  • CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.
  • CVE-2017-3156: Apache CXF OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing attacks

2016

  • CVE-2016-8739: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
  • CVE-2016-6812: XSS risk in Apache CXF FormattedServiceListWriter when a request URL contains matrix parameters
  • CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML AudienceRestriction values against the list of configured audience URIs

2015

  • CVE-2015-5253: Apache CXF SAML SSO processing is vulnerable to a wrapping attack
  • CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks

2014

  • CVE-2014-3577: Apache CXF SSL hostname verification bypass
  • Note on CVE-2014-3566: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.
  • CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBinding
  • CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

2013

  • CVE-2013-2160 - Denial of Service Attacks on Apache CXF
  • Note on CVE-2012-5575 - XML Encryption backwards compatibility attack on Apache CXF.
  • CVE-2013-0239 - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.

2012

  • CVE-2012-5633 - WSS4JInInterceptor always allows HTTP Get requests from browser.
  • Note on CVE-2011-2487 - Bleichenbacher attack against distributed symmetric key in WS-Security.
  • CVE-2012-3451 - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.
  • CVE-2012-2379 - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.
  • CVE-2012-2378 - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.
  • Note on CVE-2011-1096 - XML Encryption flaw / Character pattern encoding attack.
  • CVE-2012-0803 - Apache CXF does not validate UsernameToken policies correctly.

2010