CVE- 2026-24656, described as a deserialization flaw in Apache Karaf Decanter, could allow unauthenticated attackers to crash affected systems via a DoS attack. The vulnerability centers on the Decanter log socket collector, which listens on port 4560 and is exposed by default without authentication, meaning anyone who can reach the server can send data to it.
According to security advisory, if the collector is configured to accept “allowed classes,” that setting can be bypassed, enabling deserialization of untrusted data and a resulting DoS condition. The issue affects all versions of Apache Karaf Decanter prior to 2.12.0, and Apache has released a patch to address it in 2.12.0; users are urged to upgrade immediately. The article notes that the Decanter log socket collector is not installed by default, so organisations that have not installed it are not impacted. Until upgrading, administrators should limit access to port 4560 to trusted sources to reduce exposure.