CVE-2026-40859: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.
AI Analysis
Technical Summary
The vulnerability in Apache Camel's camel-vertx-http component arises from unsafe deserialization of HTTP response bodies with the content type application/x-java-serialized-object. When transferException=true (or allowJavaSerializedObject=true) and throwExceptionOnFailure=true, the component uses a raw ObjectInputStream without applying any ObjectInputFilter, enabling deserialization of untrusted data. This can be exploited by an attacker controlling the backend service or positioned as a man-in-the-middle on unencrypted HTTP connections to send crafted serialized Java objects. If a suitable gadget chain exists on the classpath, this can lead to remote code execution on the host running the Camel application. The vulnerability affects Apache Camel versions 4.0.0 up to but not including 4.14.8, 4.15.0 up to but not including 4.18.3, and 4.19.0 up to but not including 4.20.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.20.0 respectively, where deserialization is constrained by a default ObjectInputFilter. Users are advised to upgrade or apply mitigations such as disabling transferException or using TLS and explicit deserialization filters.
Potential Impact
An attacker who can control the backend HTTP service or intercept unencrypted HTTP traffic can exploit this vulnerability to send malicious serialized Java objects that may lead to remote code execution on the Apache Camel host, provided a suitable gadget chain is present. This can result in full compromise of the affected system. The vulnerability is conditional on specific configuration options (transferException=true or allowJavaSerializedObject=true) and is not exploitable in default configurations where transferException is false.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.20.0. Users should upgrade to one of these versions depending on their release stream. After upgrading, deserialization is restricted by a default ObjectInputFilter, which can be customized. For users unable to upgrade immediately, do not enable transferException=true or allowJavaSerializedObject=true on producers communicating with untrusted or network-exposed backends. Ensure producer connections use TLS (HTTPS) to prevent man-in-the-middle attacks. Additionally, set an explicit JVM deserialization filter (-Djdk.serialFilter) to constrain deserialization to safe classes.
CVE-2026-40859: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-vertx-httpRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel's camel-vertx-http component arises from unsafe deserialization of HTTP response bodies with the content type application/x-java-serialized-object. When transferException=true (or allowJavaSerializedObject=true) and throwExceptionOnFailure=true, the component uses a raw ObjectInputStream without applying any ObjectInputFilter, enabling deserialization of untrusted data. This can be exploited by an attacker controlling the backend service or positioned as a man-in-the-middle on unencrypted HTTP connections to send crafted serialized Java objects. If a suitable gadget chain exists on the classpath, this can lead to remote code execution on the host running the Camel application. The vulnerability affects Apache Camel versions 4.0.0 up to but not including 4.14.8, 4.15.0 up to but not including 4.18.3, and 4.19.0 up to but not including 4.20.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.20.0 respectively, where deserialization is constrained by a default ObjectInputFilter. Users are advised to upgrade or apply mitigations such as disabling transferException or using TLS and explicit deserialization filters.
Potential Impact
An attacker who can control the backend HTTP service or intercept unencrypted HTTP traffic can exploit this vulnerability to send malicious serialized Java objects that may lead to remote code execution on the Apache Camel host, provided a suitable gadget chain is present. This can result in full compromise of the affected system. The vulnerability is conditional on specific configuration options (transferException=true or allowJavaSerializedObject=true) and is not exploitable in default configurations where transferException is false.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.20.0. Users should upgrade to one of these versions depending on their release stream. After upgrading, deserialization is restricted by a default ObjectInputFilter, which can be customized. For users unable to upgrade immediately, do not enable transferException=true or allowJavaSerializedObject=true on producers communicating with untrusted or network-exposed backends. Ensure producer connections use TLS (HTTPS) to prevent man-in-the-middle attacks. Additionally, set an explicit JVM deserialization filter (-Djdk.serialFilter) to constrain deserialization to safe classes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-15T12:20:24.037Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6caa27e9c797192521b3
Added to database: 07/06/2026, 08:51:54 UTC
Last enriched: 07/06/2026, 09:22:19 UTC
Last updated: 07/06/2026, 13:06:25 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.