Critical severityGHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41586

Description

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.hyperledger.fabric-sdk-java:fabric-sdk-javaMaven	>= 1.0.0, <= 2.2.26	—

Affected products

Hyperledger/FabricGHSA
Range: >= 1.0.0, <= 2.2.26
osv-coords3 versions
pkg:bitnami/hyperledger-fabric-orderer pkg:bitnami/hyperledger-fabric-peer pkg:bitnami/hyperledger-fabric-tools
>= 1.0.0, < 2.5.9+ 2 more
- (no CPE)range: >= 1.0.0, < 2.5.9
- (no CPE)range: >= 1.0.0, < 2.5.9
- (no CPE)range: >= 1.0.0, < 2.5.9

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-prf8-cf2x-rhx7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41586ghsaADVISORY
github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7nvdWEB
hyperledger.github.io/fabric-gatewaynvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000