CVE-2025-26866

EUVD-2025-203068
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.




Users are recommended to upgrade to version 1.7.0, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
apachehugegraph
1.0.0 ≤
𝑥
< 1.7.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/apache/incubator-hugegraph/pull/2735
https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq
http://www.openwall.com/lists/oss-security/2025/12/09/1