CVE-2026-41586
CriticalSummary
Hyperledger Fabric versions from 1.0.0 to 2.2.26 contain a vulnerability in the Channel.java class, which implements the readObject() method and exposes deSerializeChannel(). This method calls ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter, leading to a classic Java deserialization RCE pattern.
Risk Assessment
This vulnerability may lead to remote code execution, posing a serious security threat to applications using Hyperledger Fabric. The lack of available patches increases the risk of exploitation.
Recommendation
It is recommended to avoid using vulnerable versions of Hyperledger Fabric and to monitor for available updates, as there are currently no publicly available patches. Additionally, consider implementing extra security measures to protect against potential exploitation of this vulnerability.
Original NVD description (English source)
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

