Apache MINA unauth RCE via deserialization (CVE-2026-41635)

Patch now - CVE-2026-41635 is a critical deserialization vulnerability in Apache MINA versions 2.0.0 through 2.2.5 that grants unauthenticated remote code execution by bypassing the classname allowlist. Patched in versions 2.0.28, 2.1.11, and 2.2.6 - upgrade immediately.

Overview

CVE-2026-41635 is a critical deserialization vulnerability in Apache MINA, a high-performance network application framework. The flaw exists in the AbstractIoBuffer.resolveClass() method, which contains two code branches for resolving Java classes during deserialization. One branch, which handles static classes or primitive types, does not check the resolved class against the configured classname allowlist before calling Class.forName(). This allows an attacker to bypass the intended security restriction and instantiate arbitrary classes.

An attacker can exploit this vulnerability by sending a crafted serialized Java object to an application that calls IoBuffer.getObject(). Successful exploitation achieves unauthenticated remote code execution (RCE) on the target server.

Impact

The vulnerability is scored as CRITICAL (CVSS 9.8) with a network attack vector, low attack complexity, and no privileges or user interaction required. This makes the flaw highly attractive to attackers, as it requires no authentication and can be triggered remotely. Applications using Apache MINA that deserialize untrusted data via IoBuffer.getObject() are at direct risk of full system compromise.

Remediation

Apache MINA has released patched versions that apply the classname allowlist check before class resolution:

• Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6 immediately.
• As a mitigation, ensure that IoBuffer.getObject() is only called on data from trusted sources.
• Review any application code that integrates with Apache MINA for deserialization of untrusted input and implement additional input validation or network segmentation if immediate patching is not possible.

Security Insight

CVE-2026-41635 is a textbook example of an incomplete security fix - a code branch was added without the necessary allowlist check, creating a silent bypass. This mirrors similar historical deserialization flaws in other Java frameworks (such as Apache Commons Collections and Apache ActiveMQ) where a single overlooked path nullified an entire security control. It reinforces that static analysis and code review must cover every code path, even those that appear trivial or rarely used.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs