Remote Code Execution Vulnerability in Apache HugeGraph PD Store
CVE-2025-26866

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Hugegraph-server
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-26866?

A vulnerability exists within the PD store of Apache HugeGraph that allows remote code execution via insecure Hessian deserialization. A malicious Raft node can exploit this flaw, potentially compromising the integrity of the system. The recommended remedy includes upgrading to version 1.7.0, where IP-based authentication is enforced to limit cluster membership and a strict class whitelist is implemented to safeguard against object injection attacks. This patch enhances overall security and mitigates risks associated with this vulnerability.

Affected Version(s)

Apache HugeGraph-Server 1.0.0 < 1.7.0

References

https://github.com/apache/incubator-hugegraph/pull/2735

patch

https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Feb 17, 2025

Credit

shukuang

yulate

X1r0z

haohao0103

JSON