Apache MINA unauth RCE via deserialization (CVE-2026-41409)

Patch now - CVE-2026-41409 is a critical remote code execution vulnerability in Apache MINA 2.0.0 through 2.2.5 that lets unauthenticated attackers execute arbitrary code on the server by sending crafted serialized objects. Patched in versions 2.0.28, 2.1.11, and 2.2.6 - update immediately.

Overview

CVE-2026-41409 is a complete bypass of the previous fix for CVE-2024-52046 in Apache MINA’s AbstractIoBuffer.getObject() method. The original patch to restrict deserialization to an allowlist of safe classes was applied too late. A malicious class read from the stream can execute its static initializer before the allowlist check occurs, allowing an attacker to trigger arbitrary code execution on the server.

Apache MINA is a network application framework used by many Java applications for high-performance I/O operations. Applications that call IoBuffer.getObject() on data received from untrusted sources are vulnerable.

Impact

An unauthenticated attacker with network access to a vulnerable MINA endpoint can craft a serialized Java object that bypasses the classname allowlist. When the server deserializes this object, the attacker’s code runs with the same privileges as the MINA application. The CVSS score is 9.8 (Critical), reflecting the network-based, unauthenticated nature of the attack with no user interaction required.

Affected Versions

• Apache MINA 2.0.0 through 2.0.27
• Apache MINA 2.1.0 through 2.1.10
• Apache MINA 2.2.0 through 2.2.5

Remediation

Upgrade to the fixed version for your release stream:

• Apache MINA 2.0.x: upgrade to 2.0.28
• Apache MINA 2.1.x: upgrade to 2.1.11
• Apache MINA 2.2.x: upgrade to 2.2.6

If immediate upgrade is not possible, avoid calling IoBuffer.getObject() on data from untrusted network sources. Review your application code for any use of this method and ensure deserialization operations only process data from trusted internal sources.

Security Insight

CVE-2026-41409 is a textbook example of an incomplete security fix - the vendor addressed the symptom (the allowlist being bypassed) but not the root cause (static initializer execution before validation). This pattern recurs across Java frameworks, where deserialization mitigations often miss edge cases like class initialization ordering. The incident underscores that security patches must be validated against the full attack surface, not just the specific test case that triggered the initial CVE. For security teams, it reinforces that every Java deserialization code path should be eliminated where possible, rather than trusted to layered blocklists or allowlists.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs