CVE-2026-42404
Published: 01 May 2026
Summary
CVE-2026-42404 is a medium-severity SSRF (CWE-918) vulnerability in Apache Neethi. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by upgrading Apache Neethi to version 3.2.2 directly eliminates the SSRF vulnerability in the PolicyReference API.
Validates URI inputs to the PolicyReference API to enforce restrictions on protocols and addresses, preventing arbitrary outbound requests.
Boundary protection devices monitor and control outbound communications to block requests to internal IP addresses and unauthorized protocols.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing app library directly enables T1190 via crafted URI input; facilitates internal IP/port probing for T1018 Remote System Discovery and T1046 Network Service Discovery.
NVD Description
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for…
more
arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.
Deeper analysisAI
Apache Neethi, a Java library for WS-Policy processing, contains a vulnerability in versions prior to 3.2.2 where the PolicyReference API does not impose restrictions on URIs during manual fetches of remote policy references. This allows applications explicitly calling the API to make outbound requests to arbitrary protocols and internal IP addresses, including link-local, multicast, or any-local addresses. The issue is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Remote attackers can exploit this vulnerability by tricking applications into invoking the PolicyReference API with a specially crafted URI, such as one targeting internal network resources or unsupported protocols. No authentication or user interaction is required, enabling network-accessible exploitation with low complexity. Successful attacks can result in limited confidentiality and integrity impacts, such as unauthorized access to internal services or data leakage via SSRF.
Apache advisories recommend upgrading to version 3.2.2, which restricts URIs to HTTP or HTTPS only and forbids link-local, multicast, and any-local addresses. Relevant discussions are available in the Apache mailing list announcement and oss-security mailing list post.
Details
- CWE(s)