Description
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Published: 2026-05-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hyperledger Fabric versions 1.0.0 through 2.2.26 use a Java ObjectInputStream to deserialize channel data without applying an ObjectInputFilter. This classic deserialization flaw allows an attacker to provide crafted serialized objects that, when processed by deSerializeChannel, execute arbitrary code on the Fabric node, compromising confidentiality, integrity, and availability of the entire ledger.

Affected Systems

Vulnerable components are found in the Hyperledger Fabric framework, specifically the Channel.java implementation used by fabric-sdk-java. All releases from 1.0.0 up to 2.2.26 are affected; newer releases beyond 2.2.26 are presumed to have mitigations.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Although no EPSS score is available and the issue is not listed in the CISA KEV catalog, the vulnerability follows a well‑known remote code execution pattern. An attacker with the ability to send arbitrary byte arrays to a Fabric channel—either through compromised SDK clients or malicious network traffic—can exploit the flaw. Proper configuration of a deserialization filter or upgrading to a non‑vulnerable version are the only known mitigations.

Generated by OpenCVE AI on May 7, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available Hyperledger Fabric release that resolves the deserialization issue (check the official release notes for the fix).
  • Configure the Java runtime to enforce an ObjectInputFilter when creating any ObjectInputStream used by fabric-sdk-java, rejecting unknown or untrusted classes.
  • Restrict the nodes that may invoke deSerializeChannel by limiting SDK access to trusted clients and monitoring network traffic for suspicious serialized payloads.

Generated by OpenCVE AI on May 7, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-prf8-cf2x-rhx7 fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE
History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Hyperledger
Hyperledger fabric
Vendors & Products Hyperledger
Hyperledger fabric

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Title ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hyperledger Fabric
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:57:52.900Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41586

cve-icon Vulnrichment

Updated: 2026-05-07T14:15:12.122Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T06:16:04.910

Modified: 2026-05-07T16:16:19.727

Link: CVE-2026-41586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:30:06Z

Weaknesses