CVE-2026-43865: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel's default configuration. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.
AI Analysis
Technical Summary
The Apache Camel camel-hazelcast component creates Hazelcast instances using a default configuration that does not apply any Java deserialization filter. When Camel builds the Hazelcast Config itself (i.e., no user-supplied HazelcastInstance, hazelcastConfigUri, or Config bean), neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured. Consequently, objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's serialization layer without filtering. An attacker able to join or reach the Hazelcast cluster can publish malicious serialized Java objects that get deserialized on every Camel node, leading to remote code execution. This vulnerability affects Apache Camel versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 by applying a default Hazelcast JavaSerializationFilterConfig that whitelists safe class prefixes and blacklists java.net classes. Users unable to upgrade immediately should configure deserialization filters manually and enable Hazelcast cluster authentication and TLS to restrict access.
Potential Impact
An attacker who can join or otherwise reach the Hazelcast cluster can send crafted serialized Java objects that are deserialized by the vulnerable Apache Camel nodes. This deserialization of untrusted data can lead to remote code execution on affected nodes. The exposure is present by default in affected versions and requires no special endpoint configuration, impacting any route using hazelcast consumers or repositories that rely on the default Hazelcast instance configuration.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.21.0, 4.14.8 (LTS), and 4.18.3. Users are strongly recommended to upgrade to one of these versions to resolve the vulnerability. For deployments that cannot upgrade immediately, it is advised to configure a deserialization filter on the Hazelcast instance using Hazelcast JavaSerializationFilterConfig or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!* and to enable Hazelcast cluster authentication and TLS to restrict cluster access. These mitigations reduce the risk of exploitation by limiting deserialization of untrusted data and restricting attacker access to the cluster.
CVE-2026-43865: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel's default configuration. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-hazelcastRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Camel camel-hazelcast component creates Hazelcast instances using a default configuration that does not apply any Java deserialization filter. When Camel builds the Hazelcast Config itself (i.e., no user-supplied HazelcastInstance, hazelcastConfigUri, or Config bean), neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured. Consequently, objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's serialization layer without filtering. An attacker able to join or reach the Hazelcast cluster can publish malicious serialized Java objects that get deserialized on every Camel node, leading to remote code execution. This vulnerability affects Apache Camel versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 by applying a default Hazelcast JavaSerializationFilterConfig that whitelists safe class prefixes and blacklists java.net classes. Users unable to upgrade immediately should configure deserialization filters manually and enable Hazelcast cluster authentication and TLS to restrict access.
Potential Impact
An attacker who can join or otherwise reach the Hazelcast cluster can send crafted serialized Java objects that are deserialized by the vulnerable Apache Camel nodes. This deserialization of untrusted data can lead to remote code execution on affected nodes. The exposure is present by default in affected versions and requires no special endpoint configuration, impacting any route using hazelcast consumers or repositories that rely on the default Hazelcast instance configuration.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.21.0, 4.14.8 (LTS), and 4.18.3. Users are strongly recommended to upgrade to one of these versions to resolve the vulnerability. For deployments that cannot upgrade immediately, it is advised to configure a deserialization filter on the Hazelcast instance using Hazelcast JavaSerializationFilterConfig or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!* and to enable Hazelcast cluster authentication and TLS to restrict cluster access. These mitigations reduce the risk of exploitation by limiting deserialization of untrusted data and restricting attacker access to the cluster.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-04T11:38:52.245Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6caa27e9c797192521b9
Added to database: 07/06/2026, 08:51:54 UTC
Last enriched: 07/06/2026, 09:22:02 UTC
Last updated: 07/06/2026, 18:38:40 UTC
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.