{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41409", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-20T15:04:54.505Z", "datePublished": "2026-04-27T09:20:12.866Z", "dateUpdated": "2026-04-27T12:21:52.067Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/", "defaultStatus": "unaffected", "packageName": "org.apache.mina:mina.core", "product": "Apache MINA", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.2.5", "status": "affected", "version": "2.2.0", "versionType": "semver"}, {"lessThanOrEqual": "2.1.10", "status": "affected", "version": "2.1.0", "versionType": "semver"}, {"lessThanOrEqual": "2.0.27", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Venkatraman Kumar, Securin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.</div><div><br></div><div>Affected versions are Apache MINA 2.0.0 &lt;= 2.0.27, 2.1.0 &lt;= 2.1.10, and 2.2.0 &lt;= 2.2.5.</div><div><br></div><div>The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.</div><div><br></div><div>Affected are applications using Apache MINA that call IoBuffer.getObject().</div><div><br></div><div>Applications using Apache MINA are advised to upgrade</div><br>"}], "value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T09:20:12.866Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache MINA: CWE-502 Deserialization of Untrusted Data", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T12:21:46.348024Z", "id": "CVE-2026-41409", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:21:52.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T12:21:46.348024Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:21:49.318Z"}}], "cna": {"title": "Apache MINA: CWE-502 Deserialization of Untrusted Data", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Venkatraman Kumar, Securin"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache MINA", "versions": [{"status": "affected", "version": "2.2.0", "versionType": "semver", "lessThanOrEqual": "2.2.5"}, {"status": "affected", "version": "2.1.0", "versionType": "semver", "lessThanOrEqual": "2.1.10"}, {"status": "affected", "version": "2.0.0", "versionType": "semver", "lessThanOrEqual": "2.0.27"}], "packageName": "org.apache.mina:mina.core", "collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade", "supportingMedia": [{"type": "text/html", "value": "<div>The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.</div><div><br></div><div>Affected versions are Apache MINA 2.0.0 &lt;= 2.0.27, 2.1.0 &lt;= 2.1.10, and 2.2.0 &lt;= 2.2.5.</div><div><br></div><div>The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.</div><div><br></div><div>Affected are applications using Apache MINA that call IoBuffer.getObject().</div><div><br></div><div>Applications using Apache MINA are advised to upgrade</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T09:20:12.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41409", "state": "PUBLISHED", "dateUpdated": "2026-04-27T12:21:52.067Z", "dateReserved": "2026-04-20T15:04:54.505Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-27T09:20:12.866Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD2A5F4E-7B53-4235-BE01-DD9B9E3614E0", "versionEndExcluding": "2.0.28", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "matchCriteriaId": "E69C9219-F00B-4677-88B8-3263615586BD", "versionEndExcluding": "2.1.11", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC86281C-5EBB-4250-8575-50EB77E76F3E", "versionEndExcluding": "2.2.6", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"}], "id": "CVE-2026-41409", "lastModified": "2026-04-29T19:08:07.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2026-04-27T10:16:09.740", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}

{"bugzilla": {"description": "Apache MINA: Apache MINA: Arbitrary code execution via incomplete deserialization fix", "id": "2463175", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463175"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in Apache MINA. An incomplete fix for a deserialization vulnerability in the `AbstractIoBuffer.getObject()` method allowed a static initializer in a class to be executed before the classname allowlist was applied. This could enable a remote attacker to execute arbitrary code by sending specially crafted data to an application using Apache MINA that calls `IoBuffer.getObject()`."], "name": "CVE-2026-41409", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Under investigation", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Under investigation", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Under investigation", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Under investigation", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Under investigation", "package_name": "mina-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "javapackages-tools:201801/maven-wagon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "maven:3.9/maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Under investigation", "package_name": "mina-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Not affected", "package_name": "mina-core", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-27T09:20:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41409\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41409\nhttps://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9"], "statement": "This is a Critical deserialization flaw in Apache MINA, allowing remote attackers to execute arbitrary code. It addresses an incomplete fix for CVE-2024-52046 which could bypass security controls. Red Hat products are affected if they utilize Apache MINA and invoke the `IoBuffer.getObject()` method.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.2.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0,2.1.10]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.27]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache MINA", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "mina", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T04:39:45.444824+00:00", "value": {"mitigation_remediation": ["Upgrade Apache MINA to version 2.0.28, 2.1.11, or 2.2.6 or later, which applies the classname allowlist at the correct time.", "Configure the application to restrict deserialization to a strict whitelist of trusted classes and disallow any payloads from untrusted external sources.", "Implement network segmentation and logging for all traffic reaching the MINA endpoints, and monitor for anomalous deserialization activity."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution via Untrusted Deserialization"}, "threat_synthesis": {"affected_systems": "The issue affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. Applications or services that incorporate Apache MINA and invoke IoBuffer.getObject() are vulnerable.", "description_and_impact": "The vulnerability lies in Apache MINA's AbstractIoBuffer.getObject() method. Because the classname allowlist is applied only after a static initializer has already been executed, an attacker can send crafted serialized data that triggers arbitrary code execution during deserialization. This weakness is a classic deserialization flaw (CWE\u2011502) that can compromise confidentiality, integrity, and availability of any system using the affected MINA framework.", "risk_and_exploitability": "Based on the description, the likely attack vector is remote, originating from network traffic that passes through services using MINA's deserialization. With a CVSS score of 9.8, this vulnerability is considered critical. The EPSS score of <1% indicates that, at present, the likelihood of exploitation is low but non-zero. It is not listed in the CISA KEV catalog. The vulnerability therefore carries a high severity and a small but present exploitation probability."}}}}, "created": "2026-04-28T04:45:22.550962+00:00", "updated": "2026-04-28T09:17:21.511672+00:00", "vendors": ["apache", "apache$PRODUCT$mina"]}