VDB

CVE-2026-42404

CVE-2026-42404 PUBLISHED CVSS 6.5 MEDIUM

Reported by apache · Published May 1, 2026

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

EPSS 0.03% · 10.8th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.03%
10.8th percentile

Affected Products

VendorProductVersions
Apache Software FoundationApache Neethi0
Apache Software FoundationApache Neethi0

Timeline

  • May 1, 2026 CVE Published
  • May 1, 2026 CVE Updated
  • May 8, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 21, 2026 Distribution Patch
  • May 21, 2026 Security Advisory
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

  • vendor-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›