CVE-2026-27172 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 28, 2026
Apache Camel - Insecure Deserialization
Published: April 27, 2026Updated: April 28, 2026Remote Exploitable
Overview
Apache Camel 3.0.0 < 4.14.6, 4.15.0 < 4.18.1 contains an insecure deserialization caused by unfiltered Java object deserialization in ConsulRegistry, letting attackers with write access to Consul KV store execute arbitrary code, exploit requires attacker to write malicious serialized objects.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers with write access to Consul KV store can execute arbitrary code in the Camel process, leading to full system compromise.
Mitigation
Upgrade to versions 4.14.6, 4.18.1, or 4.19.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-27172
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H