{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41635", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-21T22:18:22.755Z", "datePublished": "2026-04-27T08:59:50.652Z", "dateUpdated": "2026-04-28T03:55:38.297Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.mina:mina-core", "product": "Apache MINA", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.2.5", "status": "affected", "version": "2.2.0", "versionType": "semver"}, {"lessThanOrEqual": "2.1.10", "status": "affected", "version": "2.1.0", "versionType": "semver"}, {"lessThanOrEqual": "2.0.27", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Venkatraman Kumar, Securin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Apache <b>MINA</b>'s <i>AbstractIoBuffer.resolveClass()</i> contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.</div><div><br></div><div>The fix checks if the class is present in the accepted class filter&nbsp;<b>before</b> calling&nbsp;<i>Class.forName()</i>.&nbsp;</div><div><br></div><div></div>Affected versions are Apache MINA 2.0.0 &lt;= 2.0.27, 2.1.0 &lt;= 2.1.10, and\n<br>\n2.2.0 &lt;= 2.2.5.\n<br>\n\n<br>\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n<br>\n\n<br>\nAffected are applications using Apache MINA that call&nbsp; IoBuffer.getObject().\n<br>\n\n<br>\nApplications using Apache MINA are advised to upgrade.<div></div>"}], "value": "Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter\u00a0before calling\u00a0Class.forName().\u00a0\n\n\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and\n\n\n2.2.0 <= 2.2.5.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call\u00a0 IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T09:15:46.203Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm"}], "source": {"advisory": "ZDRES-059", "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2026-04-17T00:00:00.000Z", "value": "Initial reporting"}], "title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-41635"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T03:55:38.297Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T16:32:59.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T16:32:59.767Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T12:26:05.295221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:26:08.738Z"}}], "cna": {"title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE", "source": {"advisory": "ZDRES-059", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Venkatraman Kumar, Securin"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache MINA", "versions": [{"status": "affected", "version": "2.2.0", "versionType": "semver", "lessThanOrEqual": "2.2.5"}, {"status": "affected", "version": "2.1.0", "versionType": "semver", "lessThanOrEqual": "2.1.10"}, {"status": "affected", "version": "2.0.0", "versionType": "semver", "lessThanOrEqual": "2.0.27"}], "packageName": "org.apache.mina:mina-core", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-17T00:00:00.000Z", "value": "Initial reporting"}], "references": [{"url": "https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter\u00a0before calling\u00a0Class.forName().\u00a0\n\n\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and\n\n\n2.2.0 <= 2.2.5.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call\u00a0 IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade.", "supportingMedia": [{"type": "text/html", "value": "<div>Apache <b>MINA</b>'s <i>AbstractIoBuffer.resolveClass()</i> contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.</div><div><br></div><div>The fix checks if the class is present in the accepted class filter&nbsp;<b>before</b> calling&nbsp;<i>Class.forName()</i>.&nbsp;</div><div><br></div><div></div>Affected versions are Apache MINA 2.0.0 &lt;= 2.0.27, 2.1.0 &lt;= 2.1.10, and\n<br>\n2.2.0 &lt;= 2.2.5.\n<br>\n\n<br>\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n<br>\n\n<br>\nAffected are applications using Apache MINA that call&nbsp; IoBuffer.getObject().\n<br>\n\n<br>\nApplications using Apache MINA are advised to upgrade.<div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T09:15:46.203Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41635", "state": "PUBLISHED", "dateUpdated": "2026-04-28T03:55:38.297Z", "dateReserved": "2026-04-21T22:18:22.755Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-27T08:59:50.652Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter\u00a0before calling\u00a0Class.forName().\u00a0\n\n\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and\n\n\n2.2.0 <= 2.2.5.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call\u00a0 IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."}], "id": "CVE-2026-41635", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2026-04-27T09:16:01.893", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/27/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass", "id": "2463177", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463177"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the `AbstractIoBuffer.resolveClass()` method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing an attacker to execute arbitrary code on systems running applications that use Apache MINA and call `IoBuffer.getObject()`. This could lead to a complete compromise of the affected system."], "name": "CVE-2026-41635", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "javapackages-tools:201801/maven-wagon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven:3.9/maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "mina-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "mina-core", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "mina-core", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-27T08:59:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41635\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41635\nhttps://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm"], "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.2.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.10]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.27]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache MINA", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "mina", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T04:40:32.747608+00:00", "value": {"mitigation_remediation": ["Upgrade Apache MINA to version 2.0.28 or later (2.1.11, 2.2.6+) to enforce the classname allowlist.", "Audit the application code for any usage of IoBuffer.getObject() with data from untrusted sources and either remove or replace it with a safer serialization mechanism.", "If an immediate upgrade is not possible, isolate the MINA\u2011based service from external networks or restrict inbound connections so that only trusted traffic can reach the deserialization endpoint until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Customers using Apache Software Foundation\u2019s Apache MINA within versions 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5 are impacted. Applications that employ IoBuffer.getObject() to deserialize data are also vulnerable. Any services that expose MINA over a network and process external traffic may expose this flaw.", "description_and_impact": "Apache MINA\u2019s AbstractIoBuffer.resolveClass() contains a flaw that allows the class allowlist to be bypassed for static classes or primitive types. The unchecked call to Class.forName() enables an attacker to deserialize arbitrary objects and execute code of their choosing. The weakness is classified as CWE-502. The impact is a full remote code execution with potential to compromise confidentiality, integrity, and availability of the affected application.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is less than 1% and it is not listed in CISA\u2019s KEV catalog, suggesting limited exploitation in the wild. However, the likely attack vector is remote or network\u2011based, based on the use of IoBuffer.getObject() to process remote data. If an attacker can supply crafted serialized input, they can trigger the unchecked class resolution and achieve arbitrary code execution. The upgrade path to mitigated versions (2.0.28, 2.1.11, or 2.2.6+) is the only confirmed defensive measure currently available."}}}}, "created": "2026-04-28T03:00:09.369842+00:00", "updated": "2026-04-28T04:45:22.551959+00:00", "vendors": ["apache", "apache$PRODUCT$mina"]}