CVE-2026-41586

Name of the Vulnerable Software and Affected Versions Hyperledger Fabric versions 1.0.0 through 2.2.26

Description In the deprecated fabric-sdk-java client SDK, the Channel.java file implements readObject() and exposes the deSerializeChannel() function, both of which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This creates a Java deserialization issue where an attacker who can supply crafted serialized Channel bytes—such as by compromising a local channel file or injecting data through an application—can achieve remote code execution (RCE) via gadget chain exploitation. This is a client-side issue and does not involve data transmitted from Fabric peers.

Recommendations Migrate to org.hyperledger.fabric:fabric-gateway, which does not use Java serialization. As a temporary workaround for the deprecated SDK, add an ObjectInputFilter to whitelist only expected classes within the deSerializeChannel() function.