Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.hyperledger.fabric-sdk-java/fabric-sdk-java@2.2.24
Typemaven
Namespaceorg.hyperledger.fabric-sdk-java
Namefabric-sdk-java
Version2.2.24
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-gxvx-xg8s-hkdr
vulnerability_id VCID-gxvx-xg8s-hkdr
summary 
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE
## Summary

This advisory covers the deprecated `fabric-sdk-java` client SDK. `Channel.java` implements `readObject()` and exposes `deSerializeChannel()` which call `ObjectInputStream.readObject()` on untrusted byte arrays without configuring an `ObjectInputFilter`. This is the classic Java deserialization RCE pattern.

**Note:** `fabric-sdk-java` is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.

## Affected Code

```java
// src/main/java/org/hyperledger/fabric/sdk/Channel.java
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    in.defaultReadObject();  // No ObjectInputFilter configured
}

public Channel deSerializeChannel(byte[] channelBytes)
        throws IOException, ClassNotFoundException, InvalidArgumentException {
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(channelBytes));
    Channel channel = (Channel) ois.readObject();  // Untrusted bytes deserialized
    return channel;
}
```

## Attack Vector

An attacker who can supply crafted serialized Channel bytes to the client application — for example, by compromising a local channel file, injecting data through an application that accepts Channel bytes from external sources, or exploiting a separate write primitive — can achieve RCE via gadget chain exploitation when deSerializeChannel() processes those bytes. The risk is highest in deployments that accept Channel data from sources outside the client's direct control. Note: channel data is not transmitted from Fabric peers; this is a client-side deserialization surface.

## Proof of Concept

```java
// Generate malicious payload with ysoserial:
// java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" > malicious_channel.ser

// Victim code:
byte[] maliciousBytes = Files.readAllBytes(Paths.get("malicious_channel.ser"));
Channel channel = client.deSerializeChannel(maliciousBytes);  // RCE fires here
```

## Notes on Deprecation

fabric-sdk-java is deprecated as of Hyperledger Fabric v2.5 (replaced by `org.hyperledger.fabric:fabric-gateway`). However, organizations that have not yet migrated remain fully exposed. Automated dependency scanners (Snyk, Dependabot) cannot alert users without a published GHSA. This advisory is filed to ensure those users are notified and directed to migrate.

## Fix

For the deprecated SDK: add `ObjectInputFilter` to whitelist only expected classes:

```java
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
    "org.hyperledger.fabric.sdk.*;java.util.*;java.lang.*;!*"
);
ois.setObjectInputFilter(filter);
```

**The recommended remediation is migration to `org.hyperledger.fabric:fabric-gateway`**, which does not use Java serialization.

## Resources

- CWE-502: Deserialization of Untrusted Data
- Migration guide: https://hyperledger.github.io/fabric-gateway/

## Credits

Found by [Martin Brodeur (brodmart)](https://github.com/brodmart) via independent security research.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41586
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.0447
published_at 2026-06-05T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.04446
published_at 2026-06-07T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.04459
published_at 2026-06-06T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.05146
published_at 2026-06-09T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.05103
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41586
1
reference_url https://github.com/hyperledger/fabric-sdk-java
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/hyperledger/fabric-sdk-java
2
reference_url https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:37Z/
url https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
3
reference_url https://hyperledger.github.io/fabric-gateway
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:37Z/
url https://hyperledger.github.io/fabric-gateway
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41586
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41586
5
reference_url https://github.com/advisories/GHSA-prf8-cf2x-rhx7
reference_id GHSA-prf8-cf2x-rhx7
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-prf8-cf2x-rhx7
fixed_packages
aliases CVE-2026-41586, GHSA-prf8-cf2x-rhx7
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gxvx-xg8s-hkdr
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.hyperledger.fabric-sdk-java/fabric-sdk-java@2.2.24