CVE-2025-26866 – This CVE describes a remote code execution vuln... (How to Fix)

Q: What is the severity of CVE-2025-26866?

CVE-2025-26866 has a CVSS score of 8.8 (HIGH). This CVE describes a remote code execution vulnerability in Apache HugeGraph's PD store where a malicious Raft node can exploit insecure Hessian deserialization. Attackers can execute arbitrary code on affected systems by injecting malicious objects during deserialization. Organizations running vulnerable versions of Apache HugeGraph with PD store enabled are affected.

📋 TL;DR

This CVE describes a remote code execution vulnerability in Apache HugeGraph's PD store where a malicious Raft node can exploit insecure Hessian deserialization. Attackers can execute arbitrary code on affected systems by injecting malicious objects during deserialization. Organizations running vulnerable versions of Apache HugeGraph with PD store enabled are affected.

💻 Affected Systems

Products:

Apache HugeGraph

Versions: Versions before 1.7.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PD store functionality to be enabled and accessible to malicious Raft nodes.

📦 What is this software?

Hugegraph by Apache

View all CVEs affecting Hugegraph →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Unauthorized remote code execution leading to data theft, service disruption, or deployment of cryptocurrency miners or backdoors.

🟢

If Mitigated

Limited impact due to network segmentation and restricted cluster access, potentially resulting in denial of service but not full compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to the Raft cluster and knowledge of Hessian deserialization vulnerabilities. The fix implements IP-based authentication and class whitelisting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0

Vendor Advisory: https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Download Apache HugeGraph version 1.7.0 or later. 3. Stop the HugeGraph service. 4. Replace the existing installation with the patched version. 5. Restart the HugeGraph service. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to PD store and Raft cluster nodes using firewall rules to only allow trusted IP addresses.

iptables -A INPUT -p tcp --dport <pd_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <pd_port> -j DROP

Disable PD Store

all

If PD store functionality is not required, disable it in the configuration to remove the attack surface.

Edit hugegraph.properties: set pd.store.enable=false

🧯 If You Can't Patch

Implement strict network segmentation to isolate the HugeGraph cluster from untrusted networks.
Monitor for unusual deserialization activity and implement application-level firewalls to detect exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check the HugeGraph version and verify if PD store is enabled in the configuration file.

Check Version:

grep 'version' hugegraph-release/conf/hugegraph.properties

Verify Fix Applied:

Verify the installed version is 1.7.0 or later and confirm IP-based authentication is configured for Raft nodes.

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors in PD store logs
Unexpected Raft node connections from unauthorized IP addresses
Java process spawning unexpected child processes

Network Indicators:

Unusual network traffic to PD store ports from untrusted sources
Suspicious serialized data patterns in network captures

SIEM Query:

source="hugegraph.logs" AND ("deserialization error" OR "unexpected class" OR "Raft connection from")

📊 Metadata

CVE ID: CVE-2025-26866

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 1.09% exploit probability (77.6th percentile)

Published: December 12, 2025

Last Updated: December 29, 2025

🔗 References

https://github.com/apache/incubator-hugegraph/pull/2735 Issue Tracking,Patch
https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq Mailing List
http://www.openwall.com/lists/oss-security/2025/12/09/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26866, you might also want to check these: