CVE-2026-42404
Last modified
CVE-2026-42404 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Neethi | < 3.2.2 |
References
- https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oqIssue Tracking, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/01/8Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-42404?
How severe is CVE-2026-42404?
How do I fix CVE-2026-42404?
Are you affected by CVE-2026-42404?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST