CVE-2026-24656

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.<br /> <br /> <br /> The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.<br /> It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.<br /> <br /> <br /> NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.<br /> <br /> This issue affects Apache Karaf Decanter before 2.12.0.<br /> <br /> Users are recommended to upgrade to version 2.12.0, which fixes the issue.