CRITICAL SeverityCVSS 4.09.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE-2026-41586
Last updated May 07, 2026 · Published May 07, 2026
Description
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Affected products
1 listed- hyperledger:fabric
Mappings
CWE
CWE-502
CAPEC
None listed.
Related
Training
- Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
- Secure Defaults in Modern FrameworksHow Rails, Next.js, Django, and Spring protect you - and where they don't.
- Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms