Apache CXF versions 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and version 2.6.0 contain an issue that could result in weaker-than-expected security configurations.
The issue exists because the affected software fails to properly enforce the WS-SecurityPolicy 1.1
child policies on the client system. The client could improperly skip the following policies while being configured by the server:
These policies instruct the client to perform encryption or signing elements as directed by the policy, and a failure to apply the policies could lead to unsafe storage or transmission of sensitive information.
Apache has confirmed the issue and software updates are available.