Bug 2464324 (CVE-2026-42404) - CVE-2026-42404 Apache Neethi: Apache Neethi: Information disclosure and network access bypass via PolicyReference API
Summary: CVE-2026-42404 Apache Neethi: Apache Neethi: Information disclosure and netwo...
Keywords:
Status: NEW
Alias: CVE-2026-42404
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 11:01 UTC by OSIDB Bzimport
Modified: 2026-05-20 20:47 UTC (History)
45 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:19835 0 None None None 2026-05-20 20:47:52 UTC

Description OSIDB Bzimport 2026-05-01 11:01:30 UTC
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Comment 2 errata-xmlrpc 2026-05-20 20:47:49 UTC
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.14 for Quarkus 3.27

Via RHSA-2026:19835 https://access.redhat.com/errata/RHSA-2026:19835


Note You need to log in before you can comment on or make changes to this bug.