Home / Vulnerability Intelligence / CVE-2026-41635

CVE-2026-41635 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 27, 2026

Apache MINA - Remote Code Execution

Published: April 27, 2026Updated: April 27, 2026Remote Exploitable

Overview

Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5 contain a remote code execution caused by bypassing classname allowlist in AbstractIoBuffer.resolveClass(), letting attackers execute arbitrary code remotely, exploit requires calling IoBuffer.getObject().

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6 or later.

References

https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm

Related Resources

Details

CVE ID: CVE-2026-41635
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: new

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H