Apache MINA EUVD-2026-25796

| CVE-2026-41635 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-04-27 [email protected]
RCE Deserialization Apache
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Re-analysis Queued
Apr 27, 2026 - 17:22 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 09:30 vuln.today

DescriptionNVD

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and

2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call  IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

AnalysisAI

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all applications and services using Apache MINA and identify affected versions (2.0.0-2.0.27, 2.1.0-2.1.10, 2.2.0-2.2.5). Within 7 days: Upgrade to patched versions-MINA 2.0.28, 2.1.11, or 2.2.6 depending on current version in use. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-39920 CRITICAL POC
9.3 Apr 24

Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attack
CVE-2026-33453 CRITICAL
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40453 CRITICAL
9.9 Apr 27

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a
CVE-2026-40860 CRITICAL
9.8 Apr 27

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payloa
CVE-2026-41409 CRITICAL
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 t

Share

EUVD-2026-25796 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy