CVE-2026-24656 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/01/24/1
https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34

History

Mon, 26 Jan 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/01/24/1

Mon, 26 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Title		Apache Karaf: Decanter log-socket collector has deserialization vulnerability
Weaknesses		CWE-502
References		https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-01-26T09:41:24.356Z

Updated: 2026-01-26T10:09:04.018Z

Reserved: 2026-01-23T17:55:14.286Z

Link: CVE-2026-24656

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-26T10:16:09.597

Modified: 2026-01-26T10:16:09.597

Link: CVE-2026-24656

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24656", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-23T17:55:14.286Z", "datePublished": "2026-01-26T09:41:24.356Z", "dateUpdated": "2026-01-26T10:09:04.018Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.karaf.decanter.collector:org.apache.karaf.decanter.collector.log.socket", "product": "Apache Karaf", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.12.0", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "unaffected", "version": "2.12.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "r00t4dm"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.</p><br>The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.<br>It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.<br><br><br>NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.<br><br><p>This issue affects Apache Karaf Decanter before 2.12.0.</p><p>Users are recommended to upgrade to version 2.12.0, which fixes the issue.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.\n\n\nThe Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.\nIt means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.\n\n\nNB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.\n\nThis issue affects Apache Karaf Decanter before 2.12.0.\n\nUsers are recommended to upgrade to version 2.12.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-01-26T09:41:24.356Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34"}], "source": {"advisory": "https://karaf.apache.org/security/cve-2026-24656.txt", "defect": ["https://github.com/apache/karaf-decanter/issues/555"], "discovery": "EXTERNAL"}, "title": "Apache Karaf: Decanter log-socket collector has deserialization vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/01/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-26T10:09:04.018Z"}}]}}