CVE-2026-3967
Received Received - Intake
Deserialization Vulnerability in Alfresco Activiti Enables Remote Exploitation

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3967
EUVD
EUVD-2026-11492
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
alfresco activiti to 8.8.0 (inc)
alfresco activiti to 7.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3967 is a critical vulnerability in Alfresco Activiti's Process Variable Serialization System affecting versions up to 7.19 and 8.8.0. The flaw exists in the deserialize and createObjectInputStream functions of the SerializableType.java file, where user-controlled serialized Java objects are accepted via REST or Java APIs, stored without validation, and later deserialized using an unrestricted ObjectInputStream."}, {'type': 'paragraph', 'content': 'This unsafe deserialization allows attackers to remotely execute arbitrary code by exploiting gadget chains commonly found in Activiti deployments, such as those from the Spring Framework and Apache Commons Collections. The vulnerability arises because the system does not validate or restrict the classes being deserialized, enabling attackers to inject malicious payloads that execute with Activiti service user privileges.'}, {'type': 'paragraph', 'content': 'The exploit is easy to execute remotely, with a public proof-of-concept available, and no known mitigations provided by the vendor.'}] [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts on confidentiality, integrity, and availability of your systems running Alfresco Activiti.

  • Confidentiality: Attackers can access all process variables, sensitive workflow data, and database credentials.
  • Integrity: Attackers can modify process data and workflow execution, potentially altering business processes.
  • Availability: Exploitation can crash the application or cause denial of service, disrupting operations.
  • Privilege Escalation: The code executes with Activiti service user privileges, which may be elevated, allowing further system compromise.
  • Lateral Movement: Attackers can pivot to internal systems and networks from the compromised Activiti server.
  • Persistence: Malicious serialized objects can persist in the database and trigger repeatedly, maintaining attacker access.
Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious serialized objects and deserialization activities within the Alfresco Activiti system.

  • Run SQL queries to identify suspicious serializable variables and large serialized objects stored in the database tables such as ACT_RU_VARIABLE and ACT_GE_BYTEARRAY.
  • Monitor application logs for deserialization exceptions including ActivitiException, ClassNotFoundException, and InvalidClassException.
  • Look for suspicious class loading activities that may indicate attempts to load unauthorized classes during deserialization.

Specific commands are not provided in the resources, but typical detection commands could include SQL queries against the database to find unusually large or suspicious serialized data, and log analysis commands such as grep or journalctl to find relevant exception messages.

Mitigation Strategies

Immediate mitigation steps focus on disabling or restricting the unsafe deserialization process in Alfresco Activiti.

  • Disable the serializable variable type by configuring the process engine with `config.setDisableSerializableType(true);` to prevent deserialization of arbitrary objects.
  • Use safer variable types such as primitive types or JSON serialization with schema validation instead of Java Serializable objects.
  • Implement custom variable types with explicit class allowlists to restrict which classes can be deserialized.
  • For Java 9 and above, apply an ObjectInputFilter to restrict deserialization to safe classes and limit object graph depth.
  • For Java 8, implement strict class whitelisting in the `resolveClass()` method to prevent unauthorized class loading during deserialization.
  • Enforce size limits on serialized data to reject oversized payloads.
  • Implement audit logging for all deserialization attempts to detect and respond to suspicious activity.
  • Use digital signatures to verify serialized objects before deserialization to ensure integrity and authenticity.

Since no official vendor patch or mitigation is available, replacing the affected component with an alternative product is also suggested to mitigate risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart