Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-40859: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel

0
Critical
VulnerabilityCVE-2026-40859cvecve-2026-40859cwe-502
Published: 07/06/2026 (07/06/2026, 07:54:29 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.

Affected software

Apache Software Foundation/org.apache.camel:camel-vertx-http
pkg:maven/Apache Software Foundation/org.apache.camel:camel-vertx-http
Affected versions
>=4.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.20.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:22:19 UTC

Technical Analysis

The vulnerability in Apache Camel's camel-vertx-http component arises from unsafe deserialization of HTTP response bodies with the content type application/x-java-serialized-object. When transferException=true (or allowJavaSerializedObject=true) and throwExceptionOnFailure=true, the component uses a raw ObjectInputStream without applying any ObjectInputFilter, enabling deserialization of untrusted data. This can be exploited by an attacker controlling the backend service or positioned as a man-in-the-middle on unencrypted HTTP connections to send crafted serialized Java objects. If a suitable gadget chain exists on the classpath, this can lead to remote code execution on the host running the Camel application. The vulnerability affects Apache Camel versions 4.0.0 up to but not including 4.14.8, 4.15.0 up to but not including 4.18.3, and 4.19.0 up to but not including 4.20.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.20.0 respectively, where deserialization is constrained by a default ObjectInputFilter. Users are advised to upgrade or apply mitigations such as disabling transferException or using TLS and explicit deserialization filters.

Potential Impact

An attacker who can control the backend HTTP service or intercept unencrypted HTTP traffic can exploit this vulnerability to send malicious serialized Java objects that may lead to remote code execution on the Apache Camel host, provided a suitable gadget chain is present. This can result in full compromise of the affected system. The vulnerability is conditional on specific configuration options (transferException=true or allowJavaSerializedObject=true) and is not exploitable in default configurations where transferException is false.

Mitigation Recommendations

A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.20.0. Users should upgrade to one of these versions depending on their release stream. After upgrading, deserialization is restricted by a default ObjectInputFilter, which can be customized. For users unable to upgrade immediately, do not enable transferException=true or allowJavaSerializedObject=true on producers communicating with untrusted or network-exposed backends. Ensure producer connections use TLS (HTTPS) to prevent man-in-the-middle attacks. Additionally, set an explicit JVM deserialization filter (-Djdk.serialFilter) to constrain deserialization to safe classes.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-04-15T12:20:24.037Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6caa27e9c797192521b3

Added to database: 07/06/2026, 08:51:54 UTC

Last enriched: 07/06/2026, 09:22:19 UTC

Last updated: 07/06/2026, 13:06:25 UTC

Views: 10

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses