Vulnerability Details CVE-2025-26866
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.0%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-26866
-
cpe:2.3:a:apache:hugegraph:1.0.0
-
cpe:2.3:a:apache:hugegraph:1.2.0
-
cpe:2.3:a:apache:hugegraph:1.3.0
-
cpe:2.3:a:apache:hugegraph:1.5.0