The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24656

CVE-2026-24656: Apache Karaf Decanter DoS Vulnerability

CVE-2026-24656 is a deserialization of untrusted data flaw in Apache Karaf Decanter that can cause denial of service. The log socket collector exposes port 4560 without authentication. This article covers technical details, affected versions, impact, and mitigation.

Published: January 30, 2026

CVE-2026-24656 Overview

A Deserialization of Untrusted Data vulnerability exists in Apache Karaf Decanter's log socket collector component. The vulnerability allows unauthenticated remote attackers to exploit the log socket collector which exposes port 4560 without authentication. When the collector exposes allowed classes property, this configuration can be bypassed, making the log socket collector vulnerable to deserialization of untrusted data that can lead to Denial of Service (DoS) conditions.

It's important to note that the Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.

Critical Impact

Remote attackers can exploit the unauthenticated log socket collector on port 4560 to perform deserialization attacks, potentially causing service disruption through Denial of Service.

Affected Products

  • Apache Karaf Decanter versions before 2.12.0
  • Systems with the Decanter log socket collector installed and exposed on port 4560
  • Environments where allowed classes property configuration is being relied upon for protection

Discovery Timeline

  • 2026-01-26 - CVE-2026-24656 published to NVD
  • 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2026-24656

Vulnerability Analysis

This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The Apache Karaf Decanter log socket collector operates on port 4560 and accepts incoming log data. The core issue stems from the lack of authentication on this exposed port combined with an ability to bypass the allowed classes property configuration.

When Java deserialization occurs on untrusted data, attackers can craft malicious serialized objects that, when deserialized by the application, trigger unintended behavior. In this case, the vulnerability can be exploited to cause Denial of Service conditions by forcing the application to process maliciously crafted serialized data.

The attack requires network access to port 4560 where the log socket collector is listening. While the allowed classes property was intended to restrict which classes can be deserialized, this security control can be circumvented, rendering it ineffective against determined attackers.

Root Cause

The root cause is the insufficient access control on the log socket collector's network endpoint combined with inadequate validation of serialized data before deserialization. The allowed classes property mechanism was designed to whitelist acceptable classes for deserialization, but implementation flaws allow this restriction to be bypassed. This enables attackers to inject arbitrary serialized objects that the application will process, leading to resource exhaustion or other DoS conditions.

Attack Vector

The attack is network-based and does not require authentication or user interaction. An attacker with network access to the vulnerable service on port 4560 can send specially crafted serialized Java objects to the log socket collector. The attack exploits the following conditions:

  1. The Decanter log socket collector must be installed and running (not a default configuration)
  2. Port 4560 must be accessible to the attacker
  3. The attacker crafts malicious serialized objects designed to bypass the allowed classes property
  4. Upon deserialization, the malicious payload triggers resource consumption or crashes

The vulnerability mechanism involves sending specially crafted serialized Java objects to the exposed port 4560 of the Decanter log socket collector. These objects are designed to bypass the allowed classes property restrictions and, when processed by the deserialization mechanism, consume excessive resources or trigger application failures. For detailed technical information, refer to the Apache Security Mailing List.

Detection Methods for CVE-2026-24656

Indicators of Compromise

  • Unusual network traffic or connection patterns to port 4560 from external or unexpected sources
  • Increased resource consumption (CPU, memory) on systems running Apache Karaf Decanter
  • Application crashes or service unavailability of the Decanter log socket collector
  • Suspicious serialized Java object data in network captures targeting port 4560

Detection Strategies

  • Monitor network connections to port 4560 for unusual source addresses or connection volumes
  • Implement network-level alerting for connections to port 4560 from untrusted networks
  • Deploy application performance monitoring to detect abnormal resource consumption in Karaf processes
  • Use deep packet inspection to identify potentially malicious Java serialization streams

Monitoring Recommendations

  • Configure firewall logging for all traffic to port 4560 and review regularly
  • Implement network segmentation monitoring to ensure port 4560 is not exposed beyond intended boundaries
  • Set up automated alerts for Karaf Decanter service disruptions or restarts
  • Monitor system logs for deserialization-related exceptions or errors

How to Mitigate CVE-2026-24656

Immediate Actions Required

  • Verify whether the Decanter log socket collector is installed in your environment
  • If installed, upgrade Apache Karaf Decanter to version 2.12.0 or later immediately
  • Implement firewall rules to restrict access to port 4560 to trusted sources only
  • Consider disabling the log socket collector if it is not required for operations

Patch Information

Apache has released version 2.12.0 of Apache Karaf Decanter which addresses this vulnerability. Users are strongly recommended to upgrade to this version or later to remediate the issue. The fix implements proper validation and authentication controls for the log socket collector component.

For additional details, refer to the Apache Security Mailing List and the Openwall OSS Security Update.

Workarounds

  • Disable the Decanter log socket collector if it is not essential for your deployment
  • Implement strict firewall rules to block external access to port 4560
  • Use network segmentation to isolate systems running the vulnerable component
  • Deploy a reverse proxy or application gateway with authentication in front of the service
bash
# Configuration example - Firewall rules to restrict access to port 4560
# Allow only trusted internal networks to access the Decanter log socket collector
iptables -A INPUT -p tcp --dport 4560 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4560 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechApache Karaf
  • SeverityLOW
  • CVSS Score3.7
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-502
  • Technical References
  • Apache Security Mailing List
  • Openwall OSS Security Update
  • Related CVEs
  • CVE-2021-41766: Apache Karaf JMX RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English