Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection
CVE-2026-52751

8.6HIGH

Key Information:

Vendor

Nationalsecurityagency

Status
Ghidra
Vendor
CVE Published:
10 June 2026

What is CVE-2026-52751?

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands.

Affected Version(s)

ghidra 0 < 12.1

ghidra 12.1

References

https://github.com/NationalSecurityAgency/ghidra/security...
vendor-advisory
https://github.com/NationalSecurityAgency/ghidra/commit/9...
patch
https://www.vulncheck.com/advisories/ghidra-remote-code-e...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

@jro-calif
.