Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-41635 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-27 |
| Vendor | Apache Software Foundation |
| Product | Apache MINA |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Apache MINA’s AbstractIoBuffer.resolveClass() contains two branches. One of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks whether the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6.
Required Actions
Update Apache MINA to version 2.0.28, 2.1.11, or 2.2.6 (depending on the line in use) immediately. Until the patch is deployed, avoid deserializing Java objects from untrusted sources and consider introducing a global JVM deserialization filter (-Djdk.serialFilter=...). Review Java application transitive dependencies for older versions of MINA.
Who Is Affected?
This vulnerability affects Apache MINA by Apache Software Foundation. Check whether your organization uses Apache MINA for Java object deserialization and update all instances to a patched version without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
