CVE-2026-41635 — Deserialization of Untrusted Data in Software Foundation Apache Mina

CWE-502 — Deserialization of Untrusted Data5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.0%

top 85.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Mina Javapackages-tools 201801 Maven-wagon Jenkins +3 more

Timeline

PublishedApr 27

Description

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by appl…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5apache_software_foundation/apache_mina2.2.0 — 2.2.5+2

▶Red Hatjenkins/jenkins

▶Red Hatmaven_3.9/maven-wagon

▶Red Hatocp-tools-4/jenkins-rhel8

▶Red Hatocp-tools-4/jenkins-rhel9

🔴Vulnerability Details

VulDB

Apache MINA up to 2.0.27/2.1.10/2.2.5 acceptMatchers Filter AbstractIoBuffer.resolveClass deserialization↗2026-04-27

▶

📋Vendor Advisories

Red Hat

Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass↗2026-04-27

▶

💬Community

Bugzilla

CVE-2026-41635 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass↗2026-04-27

▶

Bugzilla

CVE-2026-41635 apache-commons-vfs: Apache MINA: Arbitrary code execution via classname allowlist bypass [fedora-all]↗2026-04-27

▶