CVE-2025-26866

HIGH LAB

Apache HugeGraph < 1.7.0 - Remote Code Execution via Hessian Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-26866. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-26866, an insecure Hessian deserialization vulnerability in Apache HugeGraph PD. The PoC demonstrates unauthenticated RCE via a crafted ProxyLazyValue gadget chain, bypassing the blacklist in sofa-hessian 3.3.6.

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-26866

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-26866, an insecure Hessian deserialization vulnerability in Apache HugeGraph PD. The PoC demonstrates unauthenticated RCE via a crafted ProxyLazyValue gadget chain, bypassing the blacklist in sofa-hessian 3.3.6.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache HugeGraph PD 1.0.0–1.5.0

No auth needed

Prerequisites: Network access to port 8610 (SOFABolt Raft RPC) · Python 3

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2025/12/09/1

Issue Tracking, Patch patch

https://github.com/apache/incubator-hugegraph/pull/2735

Mailing List vendor-advisory

https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq

Related Analysis

HugeGraph Deserialization

Zero to RCE

Scores

CVSS v3 8.8

EPSS 0.0345

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-26866-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-502

Status published

Products (2)

apache/hugegraph 1.0.0 - 1.7.0

org.apache.hugegraph/hg-pd-core 0 - 1.7.0Maven

Published Dec 12, 2025

Tracked Since Feb 18, 2026