ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

AI Analysis

Java deserialization RCE vulnerability in Hyperledger Fabric due to missing ObjectInputFilter

Basic Information

ID CVE-2026-41586

Source GitHub_M

Published May 7, 2026 at 05:12

Affected Product

Vendor hyperledger

Product fabric

Version >= 1.0.0, <= 2.2.26

Affected Versions hyperledger fabric >= 1.0.0, <= 2.2.26

CWE Classification

CWE-502

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Hyperledger

Product Hyperledger Fabric

Version 1.0.0 to 2.2.26

References

{
    "lastseen": "",
    "description": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.",
    "published": "2026-05-07T05:12:35.666Z",
    "modified": "2026-05-07T05:12:35.666Z",
    "type": "cve",
    "title": "ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE",
    "source": "GitHub_M",
    "references": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\nhttps://hyperledger.github.io/fabric-gateway",
    "id": "CVE-2026-41586",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "hyperledger fabric >= 1.0.0, <= 2.2.26",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "fabric",
    "version": ">= 1.0.0, <= 2.2.26",
    "vendor": "hyperledger",
    "ai_description": "Java deserialization RCE vulnerability in Hyperledger Fabric due to missing ObjectInputFilter",
    "ai_severity": "Critical",
    "ai_vendor": "Hyperledger",
    "ai_product": "Hyperledger Fabric",
    "ai_version": "1.0.0 to 2.2.26",
    "ai_score": 9.3
}

ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE_CVE-2026-41586