Vulnerability-Lookup

CVE-2026-41586 (GCVE-0-2026-41586)

Vulnerability from cvelistv5 – Published: 2026-05-07 05:12 – Updated: 2026-05-07 14:57

Title

ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

Summary

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/hyperledger/fabric/security/ad…	x_refsource_CONFIRM
	https://hyperledger.github.io/fabric-gateway	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	hyperledger	fabric	Affected: >= 1.0.0, <= 2.2.26

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41586",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-07T14:13:37.345609Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T14:57:52.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fabric",
          "vendor": "hyperledger",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c= 2.2.26"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T05:12:35.666Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
        },
        {
          "name": "https://hyperledger.github.io/fabric-gateway",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hyperledger.github.io/fabric-gateway"
        }
      ],
      "source": {
        "advisory": "GHSA-prf8-cf2x-rhx7",
        "discovery": "UNKNOWN"
      },
      "title": "ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41586",
    "datePublished": "2026-05-07T05:12:35.666Z",
    "dateReserved": "2026-04-21T14:15:21.959Z",
    "dateUpdated": "2026-05-07T14:57:52.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41586",
      "date": "2026-05-07",
      "epss": "0.00041",
      "percentile": "0.12221"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41586\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-07T06:16:04.910\",\"lastModified\":\"2026-05-07T16:16:19.727\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://hyperledger.github.io/fabric-gateway\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-502\", \"lang\": \"en\", \"description\": \"CWE-502: Deserialization of Untrusted Data\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\"}, {\"name\": \"https://hyperledger.github.io/fabric-gateway\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://hyperledger.github.io/fabric-gateway\"}], \"affected\": [{\"vendor\": \"hyperledger\", \"product\": \"fabric\", \"versions\": [{\"version\": \"\u003e= 1.0.0, \u003c= 2.2.26\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-07T05:12:35.666Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.\"}], \"source\": {\"advisory\": \"GHSA-prf8-cf2x-rhx7\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41586\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-07T14:13:37.345609Z\"}}}], \"references\": [{\"url\": \"https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-07T14:15:12.122Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41586\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-21T14:15:21.959Z\", \"datePublished\": \"2026-05-07T05:12:35.666Z\", \"dateUpdated\": \"2026-05-07T14:57:52.900Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-PRF8-CF2X-RHX7

Vulnerability from github – Published: 2026-04-29 20:41 – Updated: 2026-04-29 20:41

Summary

fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE

Details

Summary

This advisory covers the deprecated fabric-sdk-java client SDK. Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is the classic Java deserialization RCE pattern.

Note: fabric-sdk-java is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.

Affected Code

// src/main/java/org/hyperledger/fabric/sdk/Channel.java
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    in.defaultReadObject();  // No ObjectInputFilter configured
}

public Channel deSerializeChannel(byte[] channelBytes)
        throws IOException, ClassNotFoundException, InvalidArgumentException {
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(channelBytes));
    Channel channel = (Channel) ois.readObject();  // Untrusted bytes deserialized
    return channel;
}

Attack Vector

An attacker who can supply crafted serialized Channel bytes to the client application — for example, by compromising a local channel file, injecting data through an application that accepts Channel bytes from external sources, or exploiting a separate write primitive — can achieve RCE via gadget chain exploitation when deSerializeChannel() processes those bytes. The risk is highest in deployments that accept Channel data from sources outside the client's direct control. Note: channel data is not transmitted from Fabric peers; this is a client-side deserialization surface.

Proof of Concept

// Generate malicious payload with ysoserial:
// java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" > malicious_channel.ser

// Victim code:
byte[] maliciousBytes = Files.readAllBytes(Paths.get("malicious_channel.ser"));
Channel channel = client.deSerializeChannel(maliciousBytes);  // RCE fires here

Notes on Deprecation

fabric-sdk-java is deprecated as of Hyperledger Fabric v2.5 (replaced by org.hyperledger.fabric:fabric-gateway). However, organizations that have not yet migrated remain fully exposed. Automated dependency scanners (Snyk, Dependabot) cannot alert users without a published GHSA. This advisory is filed to ensure those users are notified and directed to migrate.

Fix

For the deprecated SDK: add ObjectInputFilter to whitelist only expected classes:

ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
    "org.hyperledger.fabric.sdk.*;java.util.*;java.lang.*;!*"
);
ois.setObjectInputFilter(filter);

The recommended remediation is migration to org.hyperledger.fabric:fabric-gateway, which does not use Java serialization.

Resources

CWE-502: Deserialization of Untrusted Data
Migration guide: https://hyperledger.github.io/fabric-gateway/

Credits

Found via independent security research.

Severity ?

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hyperledger.fabric-sdk-java:fabric-sdk-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "2.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:41:58Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThis advisory covers the deprecated `fabric-sdk-java` client SDK. `Channel.java` implements `readObject()` and exposes `deSerializeChannel()` which call `ObjectInputStream.readObject()` on untrusted byte arrays without configuring an `ObjectInputFilter`. This is the classic Java deserialization RCE pattern.\n\n**Note:** `fabric-sdk-java` is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.\n\n## Affected Code\n\n```java\n// src/main/java/org/hyperledger/fabric/sdk/Channel.java\nprivate void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {\n    in.defaultReadObject();  // No ObjectInputFilter configured\n}\n\npublic Channel deSerializeChannel(byte[] channelBytes)\n        throws IOException, ClassNotFoundException, InvalidArgumentException {\n    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(channelBytes));\n    Channel channel = (Channel) ois.readObject();  // Untrusted bytes deserialized\n    return channel;\n}\n```\n\n## Attack Vector\n\nAn attacker who can supply crafted serialized Channel bytes to the client application \u2014 for example, by compromising a local channel file, injecting data through an application that accepts Channel bytes from external sources, or exploiting a separate write primitive \u2014 can achieve RCE via gadget chain exploitation when deSerializeChannel() processes those bytes. The risk is highest in deployments that accept Channel data from sources outside the client\u0027s direct control. Note: channel data is not transmitted from Fabric peers; this is a client-side deserialization surface.\n\n## Proof of Concept\n\n```java\n// Generate malicious payload with ysoserial:\n// java -jar ysoserial.jar CommonsCollections6 \"touch /tmp/pwned\" \u003e malicious_channel.ser\n\n// Victim code:\nbyte[] maliciousBytes = Files.readAllBytes(Paths.get(\"malicious_channel.ser\"));\nChannel channel = client.deSerializeChannel(maliciousBytes);  // RCE fires here\n```\n\n## Notes on Deprecation\n\nfabric-sdk-java is deprecated as of Hyperledger Fabric v2.5 (replaced by `org.hyperledger.fabric:fabric-gateway`). However, organizations that have not yet migrated remain fully exposed. Automated dependency scanners (Snyk, Dependabot) cannot alert users without a published GHSA. This advisory is filed to ensure those users are notified and directed to migrate.\n\n## Fix\n\nFor the deprecated SDK: add `ObjectInputFilter` to whitelist only expected classes:\n\n```java\nObjectInputFilter filter = ObjectInputFilter.Config.createFilter(\n    \"org.hyperledger.fabric.sdk.*;java.util.*;java.lang.*;!*\"\n);\nois.setObjectInputFilter(filter);\n```\n\n**The recommended remediation is migration to `org.hyperledger.fabric:fabric-gateway`**, which does not use Java serialization.\n\n## Resources\n\n- CWE-502: Deserialization of Untrusted Data\n- Migration guide: https://hyperledger.github.io/fabric-gateway/\n\n## Credits\n\nFound via independent security research.",
  "id": "GHSA-prf8-cf2x-rhx7",
  "modified": "2026-04-29T20:41:58Z",
  "published": "2026-04-29T20:41:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hyperledger/fabric"
    },
    {
      "type": "WEB",
      "url": "https://hyperledger.github.io/fabric-gateway"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE"
}

FKIE_CVE-2026-41586

Vulnerability from fkie_nvd - Published: 2026-05-07 06:16 - Updated: 2026-05-07 15:53

Severity ?

9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7
	security-advisories@github.com	https://hyperledger.github.io/fabric-gateway

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches."
    }
  ],
  "id": "CVE-2026-41586",
  "lastModified": "2026-05-07T15:53:49.717",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-07T06:16:04.910",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://hyperledger.github.io/fabric-gateway"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41586 (GCVE-0-2026-41586)

GHSA-PRF8-CF2X-RHX7

Summary

Affected Code

Attack Vector

Proof of Concept

Notes on Deprecation

Fix

Resources

Credits

FKIE_CVE-2026-41586

Tags

Sightings

Nomenclature