Deserialization Vulnerability in Apache MINA Affects Data Security
CVE-2026-41409

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Mina
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-41409?

A deserialization vulnerability in Apache MINA allows malicious actors to exploit the late application of the classname allowlist within the AbstractIoBuffer.getObject() method. This issue can lead to the execution of static initializers in classes that should be restricted, compromising the integrity of applications utilizing the affected versions of Apache MINA. To mitigate this risk, it is critical for users to upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6, which resolves the issue by implementing the classname allowlist at an earlier stage in the execution process.

Affected Version(s)

Apache MINA 2.2.0 <= 2.2.5

Apache MINA 2.1.0 <= 2.1.10

Apache MINA 2.0.0 <= 2.0.27

References

https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Venkatraman Kumar, Securin

CVE-2026-41409 Data

JSON