Apache CXF LDAP Injection Flaw Exposes Arbitrary Certificates

Apache Software Foundation patched a critical LDAP injection vulnerability (CVE-2026-44930) in Apache CXF's XKMS LDAP Certificate Repository that could allow remote attackers to retrieve arbitrary X.509 certificates (CVSS 3.1 score 9.8); administrators are advised to immediately upgrade affected CXF branches to 4.2.1, 4.1.6, or 3.6.11, audit LDAP logs for anomalous filters, and review two companion fixes (an XXE and an incomplete RCE fix).