Skip to main content

camel-infinispan CVE-2026-6857

| EUVD-2026-24738 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-04-22 redhat GHSA-xfxp-ppx7-cqrp
Deserialization RCE Red Hat Build Of Apache Camel 4 For Quarkus 3 Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Fuse 7 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 13:48 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 13:15 euvd
EUVD-2026-24738
Analysis Generated
Apr 22, 2026 - 13:15 vuln.today
CVE Published
Apr 22, 2026 - 12:55 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 maven packages depend on org.apache.camel:camel-infinispan (2 direct, 8 indirect)

Ecosystem-wide dependent count for version 4.20.0.

DescriptionCVE.org

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

AnalysisAI

Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary code via unsafe deserialization in ProtoStream remote aggregation repository. Exploiting this vulnerability requires network access and low-privilege credentials but grants full system compromise affecting confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege credentials
Delivery
Access Camel/Infinispan remote cache endpoint
Exploit
Craft malicious serialized ProtoStream payload
Install
Submit aggregation request with exploit object
C2
Trigger unsafe deserialization
Execute
Execute gadget chain as application process
Impact
Deploy persistent backdoor
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote attackers must possess low-privilege authenticated access to Camel endpoints or Infinispan remote cache services that utilize the ProtoStream remote aggregation repository feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 7.5 (High) reflects severe impact (C:H/I:H/A:H) but includes two important mitigating factors: high attack complexity (AC:H) and low-privilege requirement (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid low-privilege credentials to a Red Hat Fuse or JBoss EAP application authenticates to an exposed Camel endpoint configured with Infinispan remote caching. The attacker crafts a malicious serialized Java object containing exploit gadgets from the application's classpath and sends it as part of a remote aggregation request to the ProtoStream repository. …
Remediation Vendor-released patch status cannot be confirmed from available data; consult Red Hat Product Security advisory at https://access.redhat.com/security/cve/CVE-2026-6857 for update availability and exact fixed versions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running Red Hat Apache Camel with Infinispan component enabled and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-6857 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy