CVE-2026-40473 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 27, 2026
Apache Camel - Remote Code Execution
Published: April 27, 2026Updated: April 27, 2026Remote Exploitable
Overview
Apache Camel 3.0.0 < 4.14.6, 4.15.0 < 4.18.2, 4.19.0 < 4.20.0 contains a remote code execution caused by lack of ObjectInputFilter in camel-mina's MinaConverter.toObjectInput, letting attackers sending crafted serialized Java objects execute arbitrary code remotely, exploit requires network access to MINA consumer port.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can execute arbitrary code remotely by sending crafted serialized objects to the MINA consumer port, potentially compromising the application.
Mitigation
Upgrade to versions 4.14.6, 4.18.2, or 4.20.0 depending on your release stream.
References
Related Resources
Details
- CVE ID
- CVE-2026-40473
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H