Arbitrary Code Execution Vulnerability in Apache MINA by The Apache Software Foundation
CVE-2026-41635

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Mina
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-41635?

The vulnerability in Apache MINA's AbstractIoBuffer.resolveClass() allows arbitrary code execution due to a flaw that bypasses the class allowlist for certain branches, particularly for static classes or primitive types. This can result in unauthorized access and manipulation of application behavior. The issue is remedied in newer versions of Apache MINA, which implement necessary checks to enforce the classname allowlist earlier in the execution process, enhancing application security. Users operating on affected versions are strongly urged to upgrade to versions 2.0.28, 2.1.11, or 2.2.6 to mitigate potential risks.

Affected Version(s)

Apache MINA 2.2.0 <= 2.2.5

Apache MINA 2.1.0 <= 2.1.10

Apache MINA 2.0.0 <= 2.0.27

References

https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045yl...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Venkatraman Kumar, Securin

CVE-2026-41635 Data

JSON