CVE-2026-41586: fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE

April 29, 2026

This advisory covers the deprecated fabric-sdk-java client SDK. Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is the classic Java deserialization RCE pattern.

Note: fabric-sdk-java is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.

References

github.com/advisories/GHSA-prf8-cf2x-rhx7
github.com/hyperledger/fabric
github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
hyperledger.github.io/fabric-gateway
nvd.nist.gov/vuln/detail/CVE-2026-41586

Code Behaviors & Features

Detect and mitigate CVE-2026-41586 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →