Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-43865: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel

0
Critical
VulnerabilityCVE-2026-43865cvecve-2026-43865cwe-502
Published: 07/06/2026 (07/06/2026, 07:55:26 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel's default configuration. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.

Affected software

Apache Software Foundation/org.apache.camel:camel-hazelcast
pkg:maven/Apache Software Foundation/org.apache.camel:camel-hazelcast
Affected versions
>=4.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:22:02 UTC

Technical Analysis

The Apache Camel camel-hazelcast component creates Hazelcast instances using a default configuration that does not apply any Java deserialization filter. When Camel builds the Hazelcast Config itself (i.e., no user-supplied HazelcastInstance, hazelcastConfigUri, or Config bean), neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured. Consequently, objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's serialization layer without filtering. An attacker able to join or reach the Hazelcast cluster can publish malicious serialized Java objects that get deserialized on every Camel node, leading to remote code execution. This vulnerability affects Apache Camel versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 by applying a default Hazelcast JavaSerializationFilterConfig that whitelists safe class prefixes and blacklists java.net classes. Users unable to upgrade immediately should configure deserialization filters manually and enable Hazelcast cluster authentication and TLS to restrict access.

Potential Impact

An attacker who can join or otherwise reach the Hazelcast cluster can send crafted serialized Java objects that are deserialized by the vulnerable Apache Camel nodes. This deserialization of untrusted data can lead to remote code execution on affected nodes. The exposure is present by default in affected versions and requires no special endpoint configuration, impacting any route using hazelcast consumers or repositories that rely on the default Hazelcast instance configuration.

Mitigation Recommendations

A fix is available in Apache Camel versions 4.21.0, 4.14.8 (LTS), and 4.18.3. Users are strongly recommended to upgrade to one of these versions to resolve the vulnerability. For deployments that cannot upgrade immediately, it is advised to configure a deserialization filter on the Hazelcast instance using Hazelcast JavaSerializationFilterConfig or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!* and to enable Hazelcast cluster authentication and TLS to restrict cluster access. These mitigations reduce the risk of exploitation by limiting deserialization of untrusted data and restricting attacker access to the cluster.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-04T11:38:52.245Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6caa27e9c797192521b9

Added to database: 07/06/2026, 08:51:54 UTC

Last enriched: 07/06/2026, 09:22:02 UTC

Last updated: 07/06/2026, 18:38:40 UTC

Views: 29

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses