CVE-2026-40860 - Vulnerability Analysis

Overview

Apache Camel 3.0.0 < 4.14.7, 4.15.0 < 4.18.2, and 4.19.0 < 4.20.0 contain a remote code execution vulnerability caused by unsafe deserialization of JMS ObjectMessage payloads without applying ObjectInputFilter or class allowlist/denylist, letting attackers publish crafted ObjectMessages to achieve remote code execution, exploit requires attacker to publish crafted JMS messages to a consumed queue or topic.

Severity & Score

Impact

Attackers can execute arbitrary code remotely by sending crafted JMS ObjectMessages to Camel consumers, potentially compromising the entire system.

Mitigation

Upgrade to Apache Camel 4.20.0, or 4.14.7 for 4.14.x LTS, or 4.18.2 for 4.18.x releases.

References

• https://camel.apache.org/security/CVE-2026-40860.html
• http://www.openwall.com/lists/oss-security/2026/04/26/10

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner