CVE-2026-42404
MEDIUM
CVSS 6.5
No EPSS data
Description
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-42404",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security@apache.org",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.5,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 2.5,
"exploitabilityScore": 3.9
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 7.2,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 2.7,
"exploitabilityScore": 3.9
}
]
},
"published": "2026-05-01T11:16:19.230",
"references": [
{
"url": "https://lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"source": "security@apache.org"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/8",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"source": "af854a3a-2127-422b-91ae-364da2661108"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security@apache.org",
"description": [
{
"lang": "en",
"value": "CWE-918"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue."
}
],
"lastModified": "2026-05-01T18:06:24.337",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "919C93DA-F5F7-4F2B-AD9B-C3BD46065619",
"versionEndExcluding": "3.2.2"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security@apache.org"
}
}