CVE-2026-47065 – Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232

CVE ID :CVE-2026-47065

Published : June 3, 2026, 11:16 a.m. | 1 hour, 16 minutes ago

Description :ZDRES-232: resolveProxyClass Not Overridden – acceptMatchers Filter Bypass via java.lang.reflect.Proxy

Assessment: Fully addressed.

When the serialised stream contains a TC_PROXYCLASSDESC (the marker
for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()
is
dispatched. JDK then calls the default
ObjectInputStream.resolveProxyClass(interfaces) implementation, which
performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH
interface name and constructs the proxy class — bypassing the accepted
classes list .

ZDRES-233: Class.forName(name, initialize=true, classLoader) in
readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes

Assessment: Fully addressed.

For ANY class on the allow-list, deserialising a stream that names it triggers the class’s
(static initialiser) BEFORE any instance is constructed. This means an
attacker who supplies a class name on the allow-list (e.g., the
developer wrote accept(“com.myapp.*”) , attacker supplies
com.myapp.SomeClass ) causes of SomeClass — and many
real-world classes have side-effecting static initialisers

Both issues have been fixed.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8404 – Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

CVE-2026-7666 – Potential unencrypted email transmission via STARTTLS in the SMTP backend

CVE-2026-6873 – Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

CVE-2026-5241 – Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers