{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aapachecxf/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:cxf:4.2.0:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-44930"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CXF"],"_cs_severities":["high"],"_cs_tags":["ldap-injection","cve","web-application"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eAn LDAP injection vulnerability exists within the LDAP Certificate repository of the XKMS server in Apache CXF. This flaw, identified as CVE-2026-44930, potentially allows a remote attacker to inject malicious LDAP queries. Successful exploitation could lead to the unauthorized retrieval of arbitrary certificates from the repository. The vulnerability affects Apache CXF versions prior to 4.2.1, 4.1.6, and 3.6.11. Organizations using Apache CXF should upgrade to the patched versions to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Apache CXF server with an exposed XKMS service using the LDAP Certificate repository.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious LDAP query string containing injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the vulnerable XKMS endpoint, embedding the malicious LDAP query.\u003c/li\u003e\n\u003cli\u003eThe Apache CXF server processes the request and constructs an LDAP query using the attacker-supplied input without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe crafted LDAP query is executed against the LDAP server.\u003c/li\u003e\n\u003cli\u003eDue to the LDAP injection vulnerability, the attacker is able to bypass intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive certificate data from the LDAP server that they are not authorized to access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44930 can lead to the unauthorized disclosure of sensitive information, specifically the arbitrary certificates stored within the LDAP repository. The impact of this vulnerability is significant as compromised certificates can be used for identity spoofing, man-in-the-middle attacks, and other malicious activities. Organizations utilizing affected versions of Apache CXF are at risk of having their certificate data exposed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Apache CXF versions 4.2.1, 4.1.6, or 3.6.11 to remediate the LDAP injection vulnerability as advised in the advisory (\u003ca href=\"https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh\"\u003ehttps://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detects CVE-2026-44930 Exploitation — Malicious LDAP Query\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual LDAP-related requests targeting the XKMS service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:52:23Z","date_published":"2026-05-26T13:52:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apache-cxf-ldap-injection/","summary":"CVE-2026-44930 is an LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF that may allow an attacker to retrieve arbitrary certificates from the repository.","title":"CVE-2026-44930: Apache CXF LDAP Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-apache-cxf-ldap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}