CVE-2026-42403: Apache Neethi: Circular Policy Reference Infinite Loop

Colm O hEigeartaigh Fri, 01 May 2026 01:21:41 -0700

Severity: High

Affected versions:


- Apache Neethi before 3.2.2

Description:

Apache Neethi does not properly detect circular references in policy
definitions. When a WS-Policy document contains circular policy
references (where Policy A references Policy B which references Policy
A), the policy normalization process can enter an infinite loop or
cause excessive recursion, leading to a stack overflow or application
hang. An attacker can craft malicious policy documents with circular
references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

References:

https://ws.apache.org/neethi/security.html
https://www.cve.org/CVERecord?id=CVE-2026-42403

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

CVE-2026-42403: Apache Neethi: Circular Policy Reference Infinite Loop

Reply via email to