Is Apache MINA affected by CVE-2026-41409?

Apache MINA versions 2.0.0-2.2.5 contain a critical remote code execution vulnerability in deserialization logic that allows unauthenticated attackers to execute arbitrary code on affected systems with no authentication required.

Apache MINA CVE-2026-41409

Q: How to fix CVE-2026-41409?

Within 24 hours: Identify all systems running Apache MINA versions 2.0.0-2.2.5 and audit which applications call IoBuffer.getObject(). Within 7 days: Upgrade to patched versions (2.0.28, 2.1.11, or 2.2.6 depending on your branch). Within 30 days: Conduct code review to confirm all unsafe deserialization paths are eliminated and validate patch deployment across all affected instances.

EUVD-2026-25809 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-04-27 apache

Deserialization Apache

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 27, 2026 - 10:30 vuln.today

DescriptionNVD

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade

AnalysisAI

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. …

RemediationAI

Within 24 hours: Identify all systems running Apache MINA versions 2.0.0-2.2.5 and audit which applications call IoBuffer.getObject(). Within 7 days: Upgrade to patched versions (2.0.28, 2.1.11, or 2.2.6 depending on your branch). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-39920 CRITICAL Act Now POC

9.3 Apr 24

Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attack

CVE-2026-33453 CRITICAL Act Now

10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40453 CRITICAL Act Now

9.9 Apr 27

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a

CVE-2026-40860 CRITICAL Act Now

9.8 Apr 27

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payloa

CVE-2026-41635 CRITICAL Act Now

9.8 Apr 27

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attacker

CVE-2026-41409 vulnerability details – vuln.today

Back

Apache MINA CVE-2026-41409

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code