vulnerability

Apache HugeGraph: CVE-2025-26866: Deserialization of Untrusted Data

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Dec 12, 2025	Dec 15, 2025	Dec 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Dec 12, 2025

Added

Dec 15, 2025

Modified

Dec 15, 2025

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Solution

apache-hugegraph-upgrade-latest

References

CWE-502
CVE-2025-26866
https://attackerkb.com/topics/CVE-2025-26866
URL-https://github.com/apache/incubator-hugegraph/pull/2735
URL-https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today