CVE-2026-42404 — MEDIUM (6.5)

Q: How severe is CVE-2026-42404?

CVE-2026-42404 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-42404?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Neethi.

Vulnerability Description

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Neethi	< 3.2.2

Related Weaknesses (CWE)

CWE-918

References

https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oqIssue TrackingVendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/01/8Mailing ListThird Party Advisory

FAQ

What is CVE-2026-42404?

CVE-2026-42404 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a polic...

How severe is CVE-2026-42404?

CVE-2026-42404 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42404?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Neethi.