CVE-2025-26866

High

Published: 12 December 2025

Published

12 December 2025

Modified

29 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0169 82.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization…

process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation through patching, directly addressing the insecure Hessian deserialization by upgrading to version 1.7.0 as recommended.

IA-3 Device Identification and Authentication good match

prevent

IA-3 enforces device identification and authentication, mitigating exploitation by restricting malicious Raft nodes from joining the cluster via IP-based authentication similar to the fix.

SI-10 Information Input Validation good match

prevent

SI-10 mandates information input validation, directly countering object injection in Hessian deserialization through strict class whitelisting as implemented in the patch.

Security SummaryAI

CVE-2025-26866 is a remote code execution vulnerability stemming from insecure Hessian deserialization in the PD store component, affecting Apache HugeGraph. A malicious Raft node can exploit this flaw to inject malicious objects during deserialization, leading to arbitrary code execution. The issue is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and requirements for only low privileges.

An attacker with low privileges, such as the ability to introduce a malicious Raft node into the cluster, can exploit this over the network with no user interaction. Successful exploitation grants high-impact remote code execution on the targeted PD store, potentially compromising confidentiality, integrity, and availability of the affected system.

Advisories recommend upgrading to Apache HugeGraph version 1.7.0, which addresses the vulnerability by enforcing IP-based authentication to restrict cluster membership and implementing a strict class whitelist to prevent object injection in the Hessian serialization process. Details are available in the GitHub pull request at https://github.com/apache/incubator-hugegraph/pull/2735, Apache mailing list announcement at https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq, and OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/12/09/1.

Details

CWE(s): CWE-502

Affected Products

apache

hugegraph

1.0.0 — 1.7.0

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

CVE-2025-26866 enables remote code execution through insecure Hessian deserialization in the network-accessible PD store component of Apache HugeGraph, directly facilitating T1210: Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/apache/incubator-hugegraph/pull/2735
Issue Tracking, Patch · security@apache.org
https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq
Mailing List · security@apache.org
http://www.openwall.com/lists/oss-security/2025/12/09/1
Mailing List · af854a3a-2127-422b-91ae-364da2661108