Skip to main content

Apache Camel CVE-2026-42527

| EUVDEUVD-2026-41825 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-06 apache GHSA-8h6p-jvhf-9hcr
8.1
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
8.1 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.7 LOW

Network-delivered serialized payload with AC:H (must reach a listening consumer under default filter); PR:N at the Camel layer; demonstrated impact is a blind DNS out-of-band side channel, so only C:L with I/A none.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 06, 2026 - 19:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 19:22 NVD
8.1 (HIGH)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 06, 2026 - 09:27 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Apache Camel.

The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.;javax.;org.apache.camel.;!*', or the no-'javax.' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository). This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.;java.;javax.;org.apache.camel.;!*' (or '!java.net.;java.;org.apache.camel.;!*' for the aggregation-repository components, which do not include javax.).

AnalysisAI

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern bundled with several components ('java.;javax.;org.apache.camel.;!*') uses a recursive java. glob that allow-lists java.net.URL and java.net.InetAddress. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver serialized ObjectMessage to Camel JMS consumer
Delivery
mapJmsMessage default invokes ObjectMessage.getObject()
Exploit
Deserialize HashMap with java.net.URL keys
Execution
URL.hashCode triggers host resolution
Persist
JVM issues DNS query to attacker host
Impact
Attacker observes query as out-of-band channel

Vulnerability AssessmentAI

Exploitation Requires an affected Camel component (4.14.0-4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.x) that deserializes attacker-controlled Java-serialized input; the highest exposure is camel-jms/camel-sjms/camel-amqp routes with mapJmsMessage=true (the default), where JmsBinding.extractBodyFromJms unconditionally calls ObjectMessage.getObject(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to publish messages to a JMS destination consumed by a vulnerable Camel route (mapJmsMessage=true by default) sends an ObjectMessage whose body is a serialized HashMap keyed on java.net.URL objects pointing to an attacker-controlled DNS domain. When Camel calls ObjectMessage.getObject(), the JVM deserializes the map and resolves the URL host during hashCode, and the attacker observes the resulting DNS query on their authoritative name server, confirming reachability and enabling blind out-of-band signalling. …
Remediation Vendor-released patch: upgrade to the fixed release containing the CAMEL-23372 fix for your line - 4.14.8 for the 4.14.x line, 4.18.3 for the 4.15.0-4.18.x line, and 4.21.0 for the 4.19.x-4.21.x line. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of all Apache Camel deployments in use, specifically identifying instances running versions 4.14.0-4.20.x with active JMS components. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-47323 CRITICAL
9.8 May 19

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-46457 HIGH
7.5 Jul 06

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

CVE-2026-46588 HIGH
7.3 Jul 06

Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote atta

Share

CVE-2026-42527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy