CVE-2025-26866

Name of the Vulnerable Software and Affected Versions Apache HugeGraph-Server versions prior to 1.7.0

Description A remote code execution issue exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Hessian is a binary object serialization format.

Recommendations Upgrade to version 1.7.0 to resolve the issue.