CVE-2026-40860: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
AI Analysis
Technical Summary
The vulnerability CVE-2026-40860 in Apache Camel involves unsafe deserialization of JMS ObjectMessage payloads in the JmsBinding.extractBodyFromJms() method and equivalent classes in related JMS components. The deserialization occurs without applying ObjectInputFilter or class allow/deny lists, enabling remote code execution if an attacker can publish a crafted ObjectMessage to a queue or topic consumed by the vulnerable Camel application and if a deserialization gadget chain is present on the classpath. This affects Apache Camel versions from 3.0.0 up to but not including 4.14.7, 4.15.0 up to but not including 4.18.2, and 4.19.0 up to but not including 4.20.0. The recommended remediation is to upgrade to Apache Camel 4.14.7, 4.18.2, or 4.20.0 depending on the release stream in use.
Potential Impact
Successful exploitation allows an attacker who can send crafted JMS ObjectMessages to a Camel JMS consumer to achieve remote code execution on the system running the vulnerable Apache Camel instance. This requires the presence of a deserialization gadget chain on the classpath. The vulnerability affects multiple JMS-related components that rely on JmsBinding, expanding the attack surface within Apache Camel deployments using JMS messaging.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.20.0 or later to fully remediate this vulnerability. For users on the 4.14.x LTS stream, upgrading to 4.14.7 is recommended. For those on the 4.18.x stream, upgrading to 4.18.2 is advised. No other mitigation or temporary fix is indicated in the vendor advisory. Patch status is confirmed by the vendor advisory recommending these fixed versions.
CVE-2026-40860: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-40860 in Apache Camel involves unsafe deserialization of JMS ObjectMessage payloads in the JmsBinding.extractBodyFromJms() method and equivalent classes in related JMS components. The deserialization occurs without applying ObjectInputFilter or class allow/deny lists, enabling remote code execution if an attacker can publish a crafted ObjectMessage to a queue or topic consumed by the vulnerable Camel application and if a deserialization gadget chain is present on the classpath. This affects Apache Camel versions from 3.0.0 up to but not including 4.14.7, 4.15.0 up to but not including 4.18.2, and 4.19.0 up to but not including 4.20.0. The recommended remediation is to upgrade to Apache Camel 4.14.7, 4.18.2, or 4.20.0 depending on the release stream in use.
Potential Impact
Successful exploitation allows an attacker who can send crafted JMS ObjectMessages to a Camel JMS consumer to achieve remote code execution on the system running the vulnerable Apache Camel instance. This requires the presence of a deserialization gadget chain on the classpath. The vulnerability affects multiple JMS-related components that rely on JmsBinding, expanding the attack surface within Apache Camel deployments using JMS messaging.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.20.0 or later to fully remediate this vulnerability. For users on the 4.14.x LTS stream, upgrading to 4.14.7 is recommended. For those on the 4.18.x stream, upgrading to 4.18.2 is advised. No other mitigation or temporary fix is indicated in the vendor advisory. Patch status is confirmed by the vendor advisory recommending these fixed versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-15T12:44:39.673Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef291bba26a39fba10e184
Added to database: 4/27/2026, 9:15:07 AM
Last enriched: 4/27/2026, 9:31:15 AM
Last updated: 4/28/2026, 1:47:23 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.