CVE-2026-40473: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel Mina
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
AI Analysis
Technical Summary
The Apache Camel Mina component's type converter MinaConverter.toObjectInput(IoBuffer) deserializes data from IoBuffer using java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. This insecure deserialization allows remote attackers to send malicious serialized Java objects to the TCP or UDP consumer port, leading to arbitrary code execution during the readObject() call. Affected versions include Apache Camel from 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0. The vulnerability is tracked as CVE-2026-40473 with a CVSS 3.1 score of 8.8 (high severity).
Potential Impact
Successful exploitation allows remote attackers with network access and at least low privileges (PR:L) to execute arbitrary code in the context of the affected application, resulting in full confidentiality, integrity, and availability compromise. This can lead to complete system takeover or disruption of services relying on Apache Camel Mina deserialization.
Mitigation Recommendations
A fix is available. Users should upgrade Apache Camel Mina to version 4.20.0 or later. For users on the 4.14.x LTS stream, upgrade to 4.14.6 is recommended. For those on the 4.18.x stream, upgrade to 4.18.2 is advised. There is no indication that temporary mitigations or workarounds are provided; applying the official patch is the recommended remediation.
CVE-2026-40473: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel Mina
Description
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
CVSS v3.1
Score 8.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Camel Mina component's type converter MinaConverter.toObjectInput(IoBuffer) deserializes data from IoBuffer using java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. This insecure deserialization allows remote attackers to send malicious serialized Java objects to the TCP or UDP consumer port, leading to arbitrary code execution during the readObject() call. Affected versions include Apache Camel from 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0. The vulnerability is tracked as CVE-2026-40473 with a CVSS 3.1 score of 8.8 (high severity).
Potential Impact
Successful exploitation allows remote attackers with network access and at least low privileges (PR:L) to execute arbitrary code in the context of the affected application, resulting in full confidentiality, integrity, and availability compromise. This can lead to complete system takeover or disruption of services relying on Apache Camel Mina deserialization.
Mitigation Recommendations
A fix is available. Users should upgrade Apache Camel Mina to version 4.20.0 or later. For users on the 4.14.x LTS stream, upgrade to 4.14.6 is recommended. For those on the 4.18.x stream, upgrade to 4.18.2 is advised. There is no indication that temporary mitigations or workarounds are provided; applying the official patch is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-13T16:02:12.368Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef291bba26a39fba10e180
Added to database: 4/27/2026, 9:15:07 AM
Last enriched: 5/5/2026, 2:42:17 AM
Last updated: 6/12/2026, 5:20:05 AM
Views: 47
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.