CVE-2026-41586— ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41586
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hyperledger Fabric 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hyperledger Fabric是Hyperledger开源的一个企业级许可的分布式账本框架。用于开发解决方案和应用程序。 Hyperledger Fabric 1.0.0至2.2.26版本存在代码问题漏洞,该漏洞源于Channel.java的deSerializeChannel方法在反序列化未受信任的字节数组时未配置ObjectInputFilter,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| hyperledger | fabric | >= 1.0.0, <= 2.2.26 | - |
II. Public POCs for CVE-2026-41586
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41586
请登录查看更多情报信息。
- Getting started - Fabric Gateway client APIx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-41586
IV. Related Vulnerabilities
Same vendor: hyperledger
- CVE-2025-30147
ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile func - CVE-2022-31021
Unlinkability broken in ursa when verifiers use malicious ke - CVE-2024-21669
Hyperledger Aries Cloud Agent Python result of presentation - CVE-2023-46132
Crosslinking transaction attack in hyperledger/fabric - CVE-2022-36025
Incorrect Conversion between Numeric Types in Besu Ethereum
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization - CVE-2026-7647
Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object I
V. Comments for CVE-2026-41586
No comments yet