Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

INFO

Published Date :

2025-12-12T09:23:07.681Z

Last Modified :

2026-02-26T16:07:42.192Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-26866 vulnerability.

Vendors Products
Apache
  • Hugegraph
  • Hugegraph-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-26866.

URL Resource
http://www.openwall.com/lists/oss-security/2025/12/09/1 cve-icon
https://github.com/apache/incubator-hugegraph/pull/2735 cve-icon cve-icon
https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact