CVE-2026-41586

UNKNOWN 0.0

ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

CWE	CWE-502
Vendor	hyperledger
Product	fabric
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for hyperledger fabric

Be the first to know when new unknown vulnerabilities affecting hyperledger fabric are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

hyperledger / fabric

>= 1.0.0, <= 2.2.26

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7 hyperledger.github.io: https://hyperledger.github.io/fabric-gateway