CVE-2025-26866
Published: 12 December 2025
Summary
CVE-2025-26866 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Hugegraph. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation through patching, directly addressing the insecure Hessian deserialization by upgrading to version 1.7.0 as recommended.
IA-3 enforces device identification and authentication, mitigating exploitation by restricting malicious Raft nodes from joining the cluster via IP-based authentication similar to the fix.
SI-10 mandates information input validation, directly countering object injection in Hessian deserialization through strict class whitelisting as implemented in the patch.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-26866 enables remote code execution through insecure Hessian deserialization in the network-accessible PD store component of Apache HugeGraph, directly facilitating T1210: Exploitation of Remote Services.
NVD Description
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization…
more
process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.
Deeper analysisAI
CVE-2025-26866 is a remote code execution vulnerability stemming from insecure Hessian deserialization in the PD store component, affecting Apache HugeGraph. A malicious Raft node can exploit this flaw to inject malicious objects during deserialization, leading to arbitrary code execution. The issue is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and requirements for only low privileges.
An attacker with low privileges, such as the ability to introduce a malicious Raft node into the cluster, can exploit this over the network with no user interaction. Successful exploitation grants high-impact remote code execution on the targeted PD store, potentially compromising confidentiality, integrity, and availability of the affected system.
Advisories recommend upgrading to Apache HugeGraph version 1.7.0, which addresses the vulnerability by enforcing IP-based authentication to restrict cluster membership and implementing a strict class whitelist to prevent object injection in the Hessian serialization process. Details are available in the GitHub pull request at https://github.com/apache/incubator-hugegraph/pull/2735, Apache mailing list announcement at https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq, and OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/12/09/1.
Details
- CWE(s)