Quarkus CXF 3.37.0 release notes

Important dependency upgrades

Quarkus 3.36.x → 3.37.0 - release notes
Apache CXF 4.2.1 → 4.2.2 - release notes, changelog
- CVE-2026-50645 Apache CXF: Uncontrolled Resource Consumption via unlimited attachment headers - severity high
Apache HttpClient 5.5.2 → 5.6.1 - release notes, changelog
JAXB Plugins 4.0.14 → 4.0.16 - release notes 4.0.15, release notes 4.0.16
Woodstox 7.2.0 → 7.2.1 - release notes, changelog

Enhancements

Manage all transitive dependencies

io.quarkiverse.cxf:quarkus-cxf-bom now manages all transitive dependencies required by Quarkus CXF extensions. This is to improve the speed and determinism of dependency resolution. As a consequence of that, any combination of Quarkus CXF extensions should use the same transitive dependencies versions irrespective of the order of dependencies in pom.xml.

Full changelog

https://github.com/quarkiverse/quarkus-cxf/compare/3.36.0...3.37.0