CVE-2026-40473: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel Mina
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
AI Analysis
Technical Summary
The Apache Camel Mina component's MinaConverter.toObjectInput method deserializes untrusted data without applying ObjectInputFilter or class-loading restrictions, leading to a CWE-502 vulnerability. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, an attacker can send malicious serialized Java objects that execute arbitrary code during deserialization. This affects Apache Camel versions 3.0.0 up to but not including 4.14.6, 4.15.0 up to but not including 4.18.2, and 4.19.0 up to but not including 4.20.0. The issue is resolved in versions 4.14.6, 4.18.2, and 4.20.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the affected application by sending crafted serialized Java objects to the vulnerable Apache Camel Mina consumer. This can lead to full compromise of the application environment running the vulnerable Camel route.
Mitigation Recommendations
A fix is available. Users should upgrade Apache Camel Mina to version 4.20.0 or later. For those on the 4.14.x LTS stream, upgrade to 4.14.6 is recommended. For users on the 4.18.x stream, upgrade to 4.18.2 is advised. Applying these updates mitigates the vulnerability by adding necessary deserialization filtering and restrictions.
CVE-2026-40473: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel Mina
Description
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Camel Mina component's MinaConverter.toObjectInput method deserializes untrusted data without applying ObjectInputFilter or class-loading restrictions, leading to a CWE-502 vulnerability. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, an attacker can send malicious serialized Java objects that execute arbitrary code during deserialization. This affects Apache Camel versions 3.0.0 up to but not including 4.14.6, 4.15.0 up to but not including 4.18.2, and 4.19.0 up to but not including 4.20.0. The issue is resolved in versions 4.14.6, 4.18.2, and 4.20.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the affected application by sending crafted serialized Java objects to the vulnerable Apache Camel Mina consumer. This can lead to full compromise of the application environment running the vulnerable Camel route.
Mitigation Recommendations
A fix is available. Users should upgrade Apache Camel Mina to version 4.20.0 or later. For those on the 4.14.x LTS stream, upgrade to 4.14.6 is recommended. For users on the 4.18.x stream, upgrade to 4.18.2 is advised. Applying these updates mitigates the vulnerability by adding necessary deserialization filtering and restrictions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-13T16:02:12.368Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef291bba26a39fba10e180
Added to database: 4/27/2026, 9:15:07 AM
Last enriched: 4/27/2026, 9:31:24 AM
Last updated: 4/28/2026, 1:47:30 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.