CVE-2026-49875¶
WSO2 Products impacted: no
Customer action required: no
REPORTED VULNERABILITY¶
Apache CXF has an XML External Entity (XXE) vulnerability in the EndpointReferenceUtils and W3CMultiSchemaFactory classes. These classes construct a SAXParserFactory without the required JAXP hardening configurations, which may allow out-of-band external entity resolution 1 2.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.2.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
- WSO2 API Control Plane: 4.5.0, 4.6.0, 4.7.0
- WSO2 Universal Gateway: 4.5.0, 4.6.0, 4.7.0
- WSO2 Traffic Manager: 4.5.0, 4.6.0, 4.7.0
WSO2 JUSTIFICATION¶
Although WSO2 API Manager contains the Apache CXF Core 3.x classes affected by CVE-2026-49875, the presence of these classes alone does not make the products vulnerable. Exploitation requires one of the following CXF execution paths to be reachable:
- WS-Addressing EPR parsing via
MAPAggregator/EndpointReferenceUtils1 2. - XML schema validation via
StaxSchemaValidationInInterceptor/W3CMultiSchemaFactory.
Both require features that are not active in any WSO2 API Manager web application.
This vulnerability has been addressed in Apache CXF versions 4.1.7 and 4.2.2 1. However, WSO2 API Manager uses Apache CXF Core 3.x packages, and no remediated Apache CXF 3.x release has been published for this CVE. Addressing this vulnerability through a dependency update therefore requires migrating to CXF 4.x, which moves from the javax.* APIs used by CXF 3.x to Jakarta EE APIs and lists Tomcat 10.1 as a major dependency change 3. Since Apache Tomcat identifies the Tomcat 9.x to 10.x migration as a significant breaking change due to the javax.* to jakarta.* package change 4, migrating to CXF 4.x introduces breaking changes in the context of WSO2 API Manager, making the upgrade path incompatible for addressing this CVE as an isolated dependency update. For these reasons, we are publishing this CVE justification with a detailed analysis of why the associated risk is mitigated in WSO2 products.
WS-Addressing path:
Although MAPAggregator.class and EndpointReferenceUtils.SchemaLSResourceResolver.class are physically present in CXF Core 3.x versions, the pack does not ship the SOAP frontend or WS-Addressing runtime JARs required to activate this path. Specifically, cxf-rt-frontend-soap, cxf-rt-ws-addr, and cxf-rt-bindings-soap are absent. Without these artifacts, no SOAP / WS-Addressing inbound dispatch chain can be assembled, and therefore no runtime request path invokes MAPAggregator or triggers EPR parsing. The vulnerable classes are present but have no reachable caller chain.
Schema validation path:
Inspection of all CXF beans.xml files across the API-M web applications, including publisher, admin, devportal, devops, service-catalog, gateway, keymanager-operations, client-registration, oauth2, and identity endpoints, confirms that StaxSchemaValidationInInterceptor is not configured anywhere. In addition, jaxrs:schemaLocations is not set in any server definition, and no endpoint is annotated with @SchemaValidation. CXF JAX-RS schema validation is disabled by default and is not enabled in any web application.
Based on this analysis, CVE-2026-49875 does not pose a threat in API-M deployments. The vulnerable code paths in CXF Core 3.x packages are present but unreachable: the WS-Addressing path has no dispatch chain that drives it, and the schema validation path is not enabled in any web application configuration. Therefore, CVE-2026-49875 does not pose a security risk to WSO2 API Manager deployments.