CVE-2026-42403: Apache Neethi does not properly detect circular references in policy definitions.

May 1, 2026 (updated May 7, 2026)

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

References

github.com/advisories/GHSA-2hfh-9h53-qc24
github.com/apache/ws-neethi
lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo
nvd.nist.gov/vuln/detail/CVE-2026-42403

Code Behaviors & Features

Detect and mitigate CVE-2026-42403 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →