CVE-2026-42404
HIGH WAF: Medium
CVSS 7.2
Published: 2026-05-01
CWE-918
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| apache | neethi | up to 3.2.2 |
References
- lists.apache.org (Issue Tracking, Vendor Advisory)
- www.openwall.com (Mailing List, Third Party Advisory)