CVE-2026-24656

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

3.7LOW

EPSS

0.0%

top 91.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Karaf Apache Karaf Decanter

Timeline

PublishedJan 26

Description

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this is…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.apache.karaf.decanter.collector:org.apache.karaf.decanter.collector.log.socket< 2.12.0

▶NVDapache/karaf_decanter< 2.12.0

▶CVEListV5apache_software_foundation/apache_karaf< 2.12.0

🔴Vulnerability Details

CVEList

Apache Karaf: Decanter log-socket collector has deserialization vulnerability↗2026-01-26

▶

OSV

Apache Karaf Decanter has Deserialization of Untrusted Data in its Log Socket Collector↗2026-01-26

▶

GHSA

Apache Karaf Decanter has Deserialization of Untrusted Data in its Log Socket Collector↗2026-01-26

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24656 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶