CVE-2026-3967

Root

Cause A deserialization vulnerability exists in the Activiti process variable serialization system. The SerializableType.java class in activiti-engine overrides resolveClass() to use ReflectUtil.loadClass() without any validation, and the deserialize() method uses ObjectInputStream.readObject() unconditionally [1]. When a user sets a process variable through REST or Java APIs, the object is serialized and stored; later access triggers automatic deserialization of the stored bytes, allowing arbitrary class loading from the classpath.

Exploitation

An attacker with basic user privileges can exploit this by sending a crafted serialized Java object via the REST API or Java API as a process variable [1]. The payload is stored in the database and, upon deserialization during normal process execution, triggers a gadget chain (e.g., using Spring Framework, Jakarta Expression Language, or Apache Commons Collections) to execute arbitrary code on the server. The exploit has been published, lowering the barrier for attack.

Impact

Successful exploitation leads to remote code execution on the Activiti server. An attacker can gain full control of the application and underlying host, potentially leaking sensitive data, modifying processes, or pivoting to internal systems.

Mitigation

The vendor was contacted but did not respond. Affected versions include Activiti ≤ 7.20 and Activiti ≤ 8.8.0 [1]. No official patch or workaround has been provided. Organizations should restrict network access to the REST API, apply strict input validation, or upgrade to a fixed version if one becomes available.