CVE-2026-42404: Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API

May 1, 2026 (updated May 7, 2026)

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

References

github.com/advisories/GHSA-287c-fxr7-3w6c
github.com/apache/ws-neethi
lists.apache.org/thread/zdspnt64zznyjyn648553kptx69w23oq
nvd.nist.gov/vuln/detail/CVE-2026-42404

Code Behaviors & Features

Detect and mitigate CVE-2026-42404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →