Apache Camel Deserialization Flaws Expose JMS, Mina, and Infinispan Deployments to RCE
Apache disclosed three unsafe deserialization vulnerabilities in Apache Camel that can lead to remote code execution in deployments using camel-mina, JMS-related components, and camel-infinispan. CVE-2026-40473 affects camel-mina, where MinaConverter.toObjectInput() wraps network-supplied TCP or UDP data in java.io.ObjectInputStream without ObjectInputFilter or class-loading restrictions; a crafted serialized Java object can execute during readObject(). CVE-2026-40860 affects camel-jms, camel-sjms, camel-sjms2, and camel-amqp, where Camel deserializes JMS ObjectMessage payloads through ObjectMessage.getObject() with the default mapJmsMessage option enabled and without filtering or allow/deny lists, allowing an attacker who can publish to a consumed queue or topic to trigger code execution if a gadget chain is present.
Apache also disclosed CVE-2026-40858 in camel-infinispan, where the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using java.io.ObjectInputStream without an input filter; an attacker able to write to the cache can inject a malicious serialized object that executes during normal get or recover operations. The affected versions span multiple Camel release lines, including 3.0.0 and later for the JMS issue, 3.0.0 and later for camel-mina, and 4.0.0 and later for camel-infinispan, with fixes released in 4.20.0 and backported to supported streams including 4.14.6/4.14.7 and 4.18.2. Apache tracks the flaws as CAMEL-23319, CAMEL-23321, and CAMEL-23322, with reports credited to researchers from Securin and Innora Pte. Ltd.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Apache Camel camel-consul deserialization flaw disclosed
Apache disclosed CVE-2026-27172, an unsafe Java deserialization vulnerability in camel-consul's ConsulRegistry that can enable arbitrary code execution if an attacker can write malicious serialized data to the Consul KV store. Apache said affected versions are 3.0.0 before 4.14.6 and 4.15.0 before 4.18.1, and recommended upgrading to 4.19.0 or fixed LTS releases 4.14.6 or 4.18.1.
Apache Camel Infinispan unsafe deserialization flaw disclosed
Apache disclosed CVE-2026-40858, an unsafe deserialization vulnerability in camel-infinispan's remote aggregation repository that could lead to code execution if an attacker can write crafted data to the remote Infinispan cache. Apache said affected versions are 4.0.0 before 4.14.7, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0, and recommended upgrading to fixed releases.
Apache Camel JMS components unsafe deserialization flaw disclosed
Apache disclosed CVE-2026-40860, an unsafe deserialization vulnerability in camel-jms, camel-sjms, camel-sjms2, and camel-amqp caused by deserializing JMS ObjectMessage payloads without filtering. Apache said affected versions are 3.0.0 before 4.14.7, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0, and advised upgrading to the patched versions.
Apache Camel Mina unsafe deserialization vulnerability disclosed
Apache disclosed CVE-2026-40473, a moderate-severity unsafe deserialization flaw in camel-mina's MinaConverter.toObjectInput(IoBuffer) that could allow remote code execution when vulnerable TCP or UDP consumers process crafted serialized Java objects. Apache said affected versions include 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0, and recommended upgrading to fixed releases.
Apache DolphinScheduler authorization flaw disclosed and fixed in 3.4.1
Apache disclosed CVE-2026-23902, an incorrect authorization vulnerability that lets authenticated users use tenants not defined on the platform during workflow execution. The issue affects Apache DolphinScheduler API versions before 3.4.1, and Apache recommended upgrading to version 3.4.1.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40858 - Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository
cvefeed.io
Open sourceCVE-2026-40473 - Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
cvefeed.io
Open sourceoss-sec: CVE-2026-40858: Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository
seclists.org
Open sourceoss-sec: CVE-2026-27172: Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store
seclists.org
Open sourceoss-sec: CVE-2026-40473: Apache Camel: Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
seclists.org
Open sourceoss-sec: CVE-2026-40860: Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
seclists.org
Open sourceCVE-2026-23902 - Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
cvefeed.io
Open sourceoss-sec: CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Camel flaws expose mail, CoAP, JMS, and HTTP routes to RCE and auth bypass
Apache disclosed four vulnerabilities in **Apache Camel** affecting message handling and request protection across multiple components. The most severe issues, **`CVE-2026-33453`** and **`CVE-2026-33454`**, allow attackers to inject Camel internal headers through untrusted inputs that are copied into the Exchange without proper inbound filtering. In `camel-coap`, a single unauthenticated UDP packet can place arbitrary query parameters into Exchange headers, enabling pre-authentication remote code execution when routes forward data to header-sensitive components such as `camel-exec`, `camel-sql`, `camel-bean`, `camel-file`, or template processors. In `camel-mail`, emails received over IMAP or POP3 can carry crafted MIME headers with the `Camel` prefix that reach downstream components and similarly influence execution, making remote code execution possible in vulnerable deployments.
Apr 27, 2026
Apache Camel Camel-PQC Unsafe Deserialization Enables Code Execution
Apache disclosed **CVE-2026-40048**, an unsafe deserialization flaw in the Camel-PQC component of Apache Camel that can lead to arbitrary code execution. The vulnerability is in `FileBasedKeyLifecycleManager`, which deserializes `<keyId>.key` files with `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions, allowing malicious `readObject()` behavior to run before the data is cast to `java.security.KeyPair`. An attacker who can place a crafted file in the configured key directory—through path traversal, weak filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—could execute code in the context of the Camel application. The issue affects `org.apache.camel:camel-pqc` versions **4.19.0 before 4.20.0** and **4.18.0 before 4.18.2**. Apache fixed the flaw by replacing `ObjectInputStream`-based key and metadata storage with **PKCS#8** and **X.509 SubjectPublicKeyInfo** Base64 JSON encoding, and advised users to upgrade to **4.20.0** or **4.18.2** on the 4.18.x LTS line. Apache credited Andrea Cosentino of the Apache Software Foundation and Venkatraman Kumar of Securin with discovering the vulnerability.
May 25, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026