CVE-2026-40858: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
CVE-2026-40858 is a high-severity deserialization vulnerability in the Apache Camel camel-infinispan component. It occurs because the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using java.io. ObjectInputStream without applying any ObjectInputFilter. An attacker able to write crafted serialized Java objects to the cache can trigger arbitrary code execution during normal repository operations. This affects Apache Camel versions from 4.0.0 before 4.14.7, from 4.
AI Analysis
Technical Summary
The vulnerability in Apache Camel's camel-infinispan component arises from unsafe deserialization of data read from a remote Infinispan cache. Specifically, the ProtoStream-based remote aggregation repository uses java.io.ObjectInputStream without any ObjectInputFilter, allowing an attacker who can write to the cache to inject malicious serialized Java objects. When these objects are deserialized during aggregation repository operations such as get or recover, they can lead to arbitrary code execution within the application's context. This affects multiple Apache Camel versions prior to the patched releases 4.14.7, 4.18.2, and 4.20.0. The issue is tracked under JIRA ticket CAMEL-23322 and is part of a class of deserialization vulnerabilities previously addressed in CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747.
Potential Impact
Successful exploitation allows an attacker with write access to the Infinispan cache to execute arbitrary code within the context of the affected Apache Camel application. This can lead to full compromise of the application, including confidentiality, integrity, and availability impacts as indicated by the CVSS score of 8.8 (high severity).
Mitigation Recommendations
A fix is available. Users should upgrade to Apache Camel version 4.20.0 if using the 4.19.x stream, 4.18.2 if using the 4.18.x stream, or 4.14.7 if using the 4.14.x LTS stream. These versions include the necessary patches to apply ObjectInputFilter protections during deserialization. Patch status is confirmed by the vendor advisory and referenced JIRA ticket. No alternative mitigations are indicated in the advisory.
CVE-2026-40858: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
CVE-2026-40858 is a high-severity deserialization vulnerability in the Apache Camel camel-infinispan component. It occurs because the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using java.io. ObjectInputStream without applying any ObjectInputFilter. An attacker able to write crafted serialized Java objects to the cache can trigger arbitrary code execution during normal repository operations. This affects Apache Camel versions from 4.0.0 before 4.14.7, from 4.
CVSS v3.1
Score 8.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel's camel-infinispan component arises from unsafe deserialization of data read from a remote Infinispan cache. Specifically, the ProtoStream-based remote aggregation repository uses java.io.ObjectInputStream without any ObjectInputFilter, allowing an attacker who can write to the cache to inject malicious serialized Java objects. When these objects are deserialized during aggregation repository operations such as get or recover, they can lead to arbitrary code execution within the application's context. This affects multiple Apache Camel versions prior to the patched releases 4.14.7, 4.18.2, and 4.20.0. The issue is tracked under JIRA ticket CAMEL-23322 and is part of a class of deserialization vulnerabilities previously addressed in CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747.
Potential Impact
Successful exploitation allows an attacker with write access to the Infinispan cache to execute arbitrary code within the context of the affected Apache Camel application. This can lead to full compromise of the application, including confidentiality, integrity, and availability impacts as indicated by the CVSS score of 8.8 (high severity).
Mitigation Recommendations
A fix is available. Users should upgrade to Apache Camel version 4.20.0 if using the 4.19.x stream, 4.18.2 if using the 4.18.x stream, or 4.14.7 if using the 4.14.x LTS stream. These versions include the necessary patches to apply ObjectInputFilter protections during deserialization. Patch status is confirmed by the vendor advisory and referenced JIRA ticket. No alternative mitigations are indicated in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-15T12:16:41.226Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef33a6ba26a39fba154134
Added to database: 4/27/2026, 10:00:06 AM
Last enriched: 5/5/2026, 7:40:53 AM
Last updated: 6/11/2026, 6:30:57 PM
Views: 148
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.