Java Deserialization Proxy Class Bypass (resolveProxyClass Not Overridden)
CVE-2026-47065 Published on June 3, 2026
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy
Assessment: Fully addressed.
When the serialised stream contains a TC_PROXYCLASSDESC (the marker
for a java.lang.reflect.Proxy ), JDKs ObjectInputStream.readProxyDesc()
is
dispatched. JDK then calls the default
ObjectInputStream.resolveProxyClass(interfaces) implementation, which
performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH
interface name and constructs the proxy class â bypassing the accepted
classes list .
ZDRES-233: Class.forName(name, initialize=true, classLoader) in
readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes
Assessment: Fully addressed.
For ANY class on the allow-list, deserialising a stream that names it triggers the classs
(static initialiser) BEFORE any instance is constructed. This means an
attacker who supplies a class name on the allow-list (e.g., the
developer wrote accept(com.myapp.*") , attacker supplies
com.myapp.SomeClass ) causes <clinit> of SomeClass â and many
real-world classes have side-effecting static initialisers
Both issues have been fixed.
Vulnerability Analysis
CVE-2026-47065 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-47065 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2026-47065
Want to know whenever a new CVE is published for Apache Mina? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache MINA:- Version 2.2.0 and below 2.2.8 is affected.
- Version 2.1.0 and below 2.1.13 is affected.
- Version 2.0.0 and below 2.0.29 is affected.