{"id":"CVE-2020-26217","details":"XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.","aliases":["BIT-activemq-2020-26217","GHSA-mw36-7c6c-q4q2"],"modified":"2026-04-11T16:25:28.780348Z","published":"2020-11-16T21:15:12.893Z","related":["GHSA-mw36-7c6c-q4q2","SUSE-SU-2021:0176-1","SUSE-SU-2021:0906-1","openSUSE-SU-2021:0140-1","openSUSE-SU-2024:10592-1"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4811"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210409-0004/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"type":"EVIDENCE","url":"https://x-stream.github.io/CVE-2020-26217.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/activemq","events":[{"introduced":"0"},{"fixed":"a0d4141a00ba5de4afaee160836898b41eb28065"},{"introduced":"0"},{"last_affected":"86dd78b1aa64cbf0af15669c0e4af62dfae0d158"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.15.14"},{"introduced":"0"},{"last_affected":"5.16.0"}]}},{"type":"GIT","repo":"https://github.com/x-stream/xstream","events":[{"introduced":"0"},{"fixed":"b9f6f5924681f1d37484df4197712bb768f7ec44"},{"fixed":"0fec095d534126931c99fd38e9c6d41f5c685c1a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.14"}]}}],"versions":["XSTREAM_1_4_10","XSTREAM_1_4_11","XSTREAM_1_4_11_1","XSTREAM_1_4_12","XSTREAM_1_4_13","XSTREAM_1_4_5","XSTREAM_1_4_9","activemq-5.10.0","activemq-5.11.0","activemq-5.12.0","activemq-5.13.0","activemq-5.14.0","activemq-5.15.0","activemq-5.15.1","activemq-5.15.10","activemq-5.15.11","activemq-5.15.12","activemq-5.15.13","activemq-5.15.2","activemq-5.15.3","activemq-5.15.4","activemq-5.15.5","activemq-5.15.6","activemq-5.15.7","activemq-5.15.8","activemq-5.15.9","activemq-5.16.0","activemq-5.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"2.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]}],"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["36534078420505951630932717155066595606","167712592239746094751306022918018252816","317644733730249586699082543719012497198","147882892005919619167157629845016475938","310112206937186273496457350593858618322","212400998281365619402932426753096858535","98561082973858442458491193662279704329","140566921675937823121313754377213541683","55865721030239104668089207709746320035","226613955031940672379347694521770861245","224905054078361424294810803415096163072","304917238615893824511506291964377504692","95782208176028131388695258941550121531","28837992903177281865669434989913590989","199170493253428971075703026859805881887","37525357282441523443603245142652431206","145645811809558746125356472534965652414","46124708426586695108529983063240272933","13235285845647794166604326647201940192","194282790036325872265619217445543145245","57524199966063753519088560374134026781","302590889855058786938212722740100797184","287878836132345066373988020348693799345","55388299779160129076428276823673824851","79370552315750212097527417749468495751","58609552586332135734337986950425982652","274080513672262428135865176899633804291","140977745494268924825685328415719490273","284467441441206600708256211807478500031","304917238615893824511506291964377504692","95782208176028131388695258941550121531","28837992903177281865669434989913590989","199170493253428971075703026859805881887","37525357282441523443603245142652431206","145645811809558746125356472534965652414","46124708426586695108529983063240272933","330110021267849494055473811230632102184","276200769093194371420971142739798509370","95737149966117525507760249364270862720","263867514275934896738377568056758027090","48714228442327568100662768598747861880","212494145970732734032500827369388649428","182912325341326383473301608361159179741","88593924387143450924616786494852175367","151438248137756327111752360344123826640","248025821406173234794988814544699774100","309803324023024585825355197780470987251","315797621103349978137933836505191930530","82548540201317005602749919447493015094","270863949685038507274853685123980255028","171405365791934743455499209126098513808","244766781187162628268875854624811336252","166730865668170713317511943055644070483","292822050563300496692888095507552767585","63366177943000962629953594979726051287","268325377609045880961180859203858421206","253171137548256272141904701683387644168","262245883024142785000301742972088682103"]},"id":"CVE-2020-26217-62fc4d1d","target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"digest":{"length":736,"function_hash":"135430061935714785873177556993178862123"},"id":"CVE-2020-26217-7ccf807b","target":{"function":"testExplicitlyConvertEventHandler","file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"digest":{"length":291,"function_hash":"86372899673399638265050073566564126629"},"id":"CVE-2020-26217-fda9c622","target":{"function":"setupSecurity","file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"digest":{"threshold":0.9,"line_hashes":["288917004095477301317786229564296666322","260891975351421313936228542580575721897","182758980270881807918382145153527672156","222093423178369917819573038757702447017"]},"id":"CVE-2020-26217-fdcfa9c0","target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}],"vanir_signatures_modified":"2026-04-11T16:25:28Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26217.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}