What is the CVSS score of CVE-2026-41635?

CVE-2026-41635 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache MINA are affected by CVE-2026-41635?

Apache MINA versions 2.0.0 through 2.2.5 contain a critical remote code execution vulnerability in deserialization logic that allows unauthenticated attackers to execute arbitrary code over the…. A patch is available.

How to fix or mitigate CVE-2026-41635?

Within 24 hours: Inventory all applications and services using Apache MINA and identify affected versions (2.0.0-2.0.27, 2.1.0-2.1.10, 2.2.0-2.2.5). Within 7 days: Upgrade to patched versions-MINA 2.0.28, 2.1.11, or 2.2.6 depending on current version in use. Within 30 days: Validate upgrades in production and conduct application testing to confirm functionality. For systems that cannot be upgraded immediately, implement network segmentation to restrict access to affected MINA services.

Apache MINA CVE-2026-41635

EUVD-2026-25796 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-04-27 security@apache.org

GHSA-8297-v2rf-2p32

RCE Deserialization Apache Red Hat

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat

9.8 CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 17:22 vuln.today

cvss_changed

Analysis Generated

Apr 27, 2026 - 09:30 vuln.today

EUVD ID Assigned

Apr 27, 2026 - 09:22 euvd

EUVD-2026-25796

Analysis Generated

Apr 27, 2026 - 09:22 vuln.today

CVE Published

Apr 27, 2026 - 09:16 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

8 maven packages depend on org.apache.mina:mina-core (8 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionCVE.org

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and

2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

AnalysisAI

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted Java serialized object

Delivery

Trigger AbstractIoBuffer.resolveClass() with static class reference

Exploit

Bypass allowlist validation

Execution

Load attacker-controlled class via Class.forName()

Persist

Execute deserialization gadget chain

Impact

Achieve arbitrary code execution

Access

Send crafted Java serialized object

Delivery

Trigger AbstractIoBuffer.resolveClass() with static class reference

Exploit

Bypass allowlist validation

Execution

Load attacker-controlled class via Class.forName()

Persist

Execute deserialization gadget chain

Impact

Achieve arbitrary code execution

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to use Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, or 2.2.0-2.2.5 AND specifically call the IoBuffer.getObject() method to deserialize data received over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This represents critical real-world risk based on convergent signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a Java application server running Apache MINA 2.0.25 that accepts network connections and calls IoBuffer.getObject() to process client data. The attacker crafts a malicious Java serialized object containing a static class reference designed to bypass the allowlist check. …
Remediation	Upgrade Apache MINA to patched versions immediately: 2.0.28 (for 2.0.x branch), 2.1.11 (for 2.1.x branch), or 2.2.6 (for 2.2.x branch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications and services using Apache MINA and identify affected versions (2.0.0-2.0.27, 2.1.0-2.1.10, 2.2.0-2.2.5). …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-41635 vulnerability details – vuln.today

Back

Apache MINA CVE-2026-41635

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code