Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-24656

Good to know:

icon
icon
icon

Date: January 26, 2026

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue.

Severity Score

Related Resources (7)

http://www.openwall.com/lists/oss-security/2026/01/24/1
https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34
https://github.com/apache/karaf-decanter
https://github.com/apache/karaf-decanter/commit/9d7058d37160a16aaad34b488170adf277351e8b
https://github.com/apache/karaf-decanter/issues/555
https://nvd.nist.gov/vuln/detail/CVE-2026-24656
https://www.mend.io/vulnerability-database/CVE-2026-24656

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.karaf.decanter.collector:org.apache.karaf.decanter.collector.log.socket:2.12.0;https://github.com/apache/karaf-decanter.git - decanter-2.12.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us