CVE-2026-3967

Summary

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
AlfrescoActiviti7.0affected
AlfrescoActiviti7.1affected
AlfrescoActiviti7.2affected
AlfrescoActiviti7.3affected
AlfrescoActiviti7.4affected
AlfrescoActiviti7.5affected
AlfrescoActiviti7.6affected
AlfrescoActiviti7.7affected
AlfrescoActiviti7.8affected
AlfrescoActiviti7.9affected
AlfrescoActiviti7.10affected
AlfrescoActiviti7.11affected
AlfrescoActiviti7.12affected
AlfrescoActiviti7.13affected
AlfrescoActiviti7.14affected
AlfrescoActiviti7.15affected
AlfrescoActiviti7.16affected
AlfrescoActiviti7.17affected
AlfrescoActiviti7.18affected
AlfrescoActiviti7.19affected
AlfrescoActiviti8.0affected
AlfrescoActiviti8.1affected
AlfrescoActiviti8.2affected
AlfrescoActiviti8.3affected
AlfrescoActiviti8.4affected
AlfrescoActiviti8.5affected
AlfrescoActiviti8.6affected
AlfrescoActiviti8.7affected
AlfrescoActiviti8.8.0affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References