CVE-2026-9497 changmingxie CVE debrief

Who should care

Organizations running tcc-transaction versions up to 2.1.0 with Fastjson AutoType enabled in REST API configurations. Development teams using Fastjson with AutoType in Java applications. Security teams monitoring for deserialization vulnerabilities in transaction management frameworks.

Technical summary

The vulnerability stems from unsafe deserialization in Fastjson's parseObject function when AutoType is enabled in the tcc-transaction framework. AutoType allows automatic type inference during JSON parsing, which can be exploited to instantiate arbitrary classes through crafted JSON payloads. The REST API exposure enables remote attack initiation. The CVSS 4.0 vector indicates network accessibility with low attack complexity but requires low privileges (PR:L), limiting the attack surface compared to unauthenticated vulnerabilities.

Defensive priority

low

Recommended defensive actions

• Review and update tcc-transaction to a version newer than 2.1.0 if available, or apply vendor-provided patches when released.
• Disable Fastjson AutoType functionality if not required, or restrict AutoType to an explicit allowlist of safe classes.
• Implement input validation and sanitization for all data passed to Fastjson.parseObject in REST API endpoints.
• Monitor for suspicious deserialization activity in application logs, particularly for unexpected class instantiation.
• Consider migrating to alternative JSON libraries with safer default deserialization behavior if vendor patches are not forthcoming.
• Apply network segmentation and access controls to limit exposure of affected REST API endpoints to untrusted networks.

Evidence notes

The vulnerability description is sourced from official CVE records and NVD data. The affected product is identified as changmingxie tcc-transaction up to version 2.1.0. The specific vulnerable component is the Fastjson AutoType REST API using Fastjson.parseObject.

Official resources