CVE-2026-24656 – Apache Karaf Decanter's log socket collector ha... (How to Fix)

Q: What is the severity of CVE-2026-24656?

CVE-2026-24656 has a CVSS score of 3.7 (LOW). Apache Karaf Decanter's log socket collector has a deserialization vulnerability on port 4560 without authentication. Attackers can bypass allowed classes configuration to send malicious data, potentially causing denial of service. Only users who have installed the Decanter log socket collector are affected.

📋 TL;DR

Apache Karaf Decanter's log socket collector has a deserialization vulnerability on port 4560 without authentication. Attackers can bypass allowed classes configuration to send malicious data, potentially causing denial of service. Only users who have installed the Decanter log socket collector are affected.

💻 Affected Systems

Products:

Apache Karaf Decanter

Versions: All versions before 2.12.0

Operating Systems: All operating systems running Apache Karaf Decanter

Default Config Vulnerable: ✅ No

Notes: Only affects systems where Decanter log socket collector is installed (not installed by default)

📦 What is this software?

Karaf Decanter by Apache

View all CVEs affecting Karaf Decanter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if deserialization gadgets are available in the classpath

🟠

Likely Case

Denial of service through application crashes or resource exhaustion

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls are in place

🌐 Internet-Facing: HIGH - Port 4560 is exposed without authentication, making it directly accessible to attackers

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the vulnerable service

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - No authentication required and deserialization attacks are well-documented

Exploitation requires sending specially crafted serialized objects to port 4560

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.0

Vendor Advisory: https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34

Restart Required: Yes

Instructions:

1. Download Apache Karaf Decanter 2.12.0 or later. 2. Stop the Decanter service. 3. Replace the existing Decanter installation with the patched version. 4. Restart the Decanter service.

🔧 Temporary Workarounds

Disable Decanter log socket collector

all

Remove or disable the vulnerable component if not required

Stop the Decanter service and remove/disable the log socket collector component

Network firewall restriction

linux

Block access to port 4560 from untrusted networks

iptables -A INPUT -p tcp --dport 4560 -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port port="4560" protocol="tcp" reject'

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable service
Add authentication or IP whitelisting to port 4560 access

🔍 How to Verify

Check if Vulnerable:

Check if Decanter log socket collector is installed and running on port 4560: netstat -tlnp | grep 4560

Check Version:

Check Decanter version in application logs or configuration files

Verify Fix Applied:

Verify Decanter version is 2.12.0 or later and port 4560 is properly secured or disabled

📡 Detection & Monitoring

Log Indicators:

Deserialization errors in Decanter logs
Unexpected connections to port 4560
Java stack traces indicating deserialization failures

Network Indicators:

Unusual traffic to port 4560 from external sources
Malformed serialized objects sent to port 4560

SIEM Query:

source_port:4560 AND (event_type:connection OR event_type:deserialization_error)

📊 Metadata

CVE ID: CVE-2026-24656

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-502

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: January 26, 2026

Last Updated: January 27, 2026

🔗 References

https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34 Mailing List
http://www.openwall.com/lists/oss-security/2026/01/24/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24656, you might also want to check these: