Do Son 
A significant security vulnerability has been identified in Apache Karaf Decanter, a monitoring solution widely used in enterprise environments to harvest and dispatch logs. The flaw, tracked as CVE-2026-24656, exposes the log-socket collector to a “Deserialization of Untrusted Data” attack, potentially allowing unauthenticated attackers to crash affected systems.
Apache Karaf Decanter is designed to collect data from various sourcesβsuch as logs, JMX beans, and OS metricsβand alert administrators to anomalies. However, a lapse in how one specific collector handles incoming data has created a serious opening for disruption.
The vulnerability centers on the Decanter log socket collector, a component that listens for log events on port 4560. This port is exposed by default “without authentication,” meaning anyone who can reach the server can send data to it.
The issue arises when the collector is configured to accept “allowed classes.” According to the security advisory, if this property is exposed, “this configuration can be bypassed”.
This bypass effectively allows the collector to deserialize untrusted data sent by an attacker. In the Java world, deserialization vulnerabilities are notoriously dangerous; in this specific case, the flaw leads to a Denial of Service (DoS) condition, crashing the service and blinding administrators to legitimate system events.
The good news is that this component is not active out-of-the-box. “Decanter log socket collector is not installed by default,” the report clarifies. “Users who have not installed Decanter log socket are not impacted by this issue”.
However, for organizations that do use this feature to centralize logs, the risk is real. The vulnerability affects all versions of Apache Karaf Decanter prior to 2.12.0.
Apache has released a patch to address the vulnerability. The issue is resolved in Apache Karaf Decanter 2.12.0, and users are strongly recommended to upgrade immediately to close the vector.
Until the upgrade is applied, administrators should consider restricting network access to port 4560 to trusted sources only, minimizing the attack surface.
Related Posts:
- Apache Karaf Remote Code Execution Vulnerability
- Security Expert Announces PoC to Crashes All Recent Windows
- Apache HTTP Server Hit by Triple Vulnerabilities β Users Urged to Update
- Critical RCE Flaw Patched in Roundcube Webmail: Update Immediately!
- SAP’s July 2025 Patch Day Brings 27 New Notes, Multiple Critical RCE & Deserialization Flaws (CVSS 10.0)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
