CVE-2026-40858 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 27, 2026
Apache Camel - Insecure Deserialization
Published: April 27, 2026Updated: April 27, 2026Remote Exploitable
Overview
Apache Camel 4.0.0 < 4.14.7, 4.15.0 < 4.18.2, 4.19.0 < 4.20.0 contains an insecure deserialization caused by lack of ObjectInputFilter in ProtoStream-based remote aggregation repository, letting attackers with write access to Infinispan cache execute arbitrary code remotely, exploit requires attacker to write crafted serialized objects to cache.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers with write access to Infinispan cache can execute arbitrary code in the application context, leading to full system compromise.
Mitigation
Upgrade to versions 4.14.7, 4.18.2, or 4.20.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-40858
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H