Vulnerability Description
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Related Weaknesses (CWE)
References
- https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
- https://hyperledger.github.io/fabric-gateway
- https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
FAQ
What is CVE-2026-41586?
CVE-2026-41586 is a documented vulnerability. Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and e...
How severe is CVE-2026-41586?
CVSS scoring is not yet available for CVE-2026-41586. Check NVD for updates.
Is there a patch for CVE-2026-41586?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.