What is the CVSS score of CVE-2026-41409?

CVE-2026-41409 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache MINA are affected by CVE-2026-41409?

Apache MINA versions 2.0.0-2.2.5 contain a critical remote code execution vulnerability in deserialization logic that allows unauthenticated attackers to execute arbitrary code on affected systems…. A patch is available.

How to fix or mitigate CVE-2026-41409?

Within 24 hours: Identify all systems running Apache MINA versions 2.0.0-2.2.5 and audit which applications call IoBuffer.getObject(). Within 7 days: Upgrade to patched versions (2.0.28, 2.1.11, or 2.2.6 depending on your branch). Within 30 days: Conduct code review to confirm all unsafe deserialization paths are eliminated and validate patch deployment across all affected instances.

Apache MINA CVE-2026-41409

EUVD-2026-25809 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-04-27 apache

GHSA-f2wh-grmh-r6jm

Deserialization Apache Red Hat

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat

9.8 CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 27, 2026 - 10:30 vuln.today

EUVD ID Assigned

Apr 27, 2026 - 10:00 euvd

EUVD-2026-25809

Analysis Generated

Apr 27, 2026 - 10:00 vuln.today

CVE Published

Apr 27, 2026 - 09:20 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

8 maven packages depend on org.apache.mina:mina-core (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionCVE.org

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade

AnalysisAI

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted serialized payload to MINA service

Delivery

Application calls IoBuffer.getObject()

Exploit

ClassLoader loads malicious class

Execution

Static initializer executes before allowlist check

Persist

Arbitrary code runs with application privileges

Impact

Establish persistence or execute commands

Access

Send crafted serialized payload to MINA service

Delivery

Application calls IoBuffer.getObject()

Exploit

ClassLoader loads malicious class

Execution

Static initializer executes before allowlist check

Persist

Arbitrary code runs with application privileges

Impact

Establish persistence or execute commands

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to call IoBuffer.getObject() on attacker-controlled network input - this is NOT a default MINA behavior and must be explicitly implemented in application code. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is CRITICAL for applications exposing IoBuffer.getObject() to network input. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a MINA-based network service that processes serialized Java objects via IoBuffer.getObject(). They craft a malicious serialized payload containing a class with a weaponized static initializer (e.g., commons-collections gadget chain). …
Remediation	Upgrade immediately to Apache MINA 2.0.28, 2.1.11, or 2.2.6 depending on your deployed branch - vendor-released patches available per Apache advisory at https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Apache MINA versions 2.0.0-2.2.5 and audit which applications call IoBuffer.getObject(). …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-41409 vulnerability details – vuln.today

Back

Apache MINA CVE-2026-41409

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code