Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 93%

CVE-2026-43866: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel

0
High
VulnerabilityCVE-2026-43866cvecve-2026-43866cwe-502
Published: 07/06/2026 (07/06/2026, 08:35:04 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component. JmsBinding.extractBodyFromJms() in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer. The CVE-2026-40860 hardening added a post-deserialization class check that rejects classes outside the default allow-list java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.support.DefaultExchangeHolder itself lives in the allow-listed org.apache.camel.** namespace, so an ObjectMessage whose top-level object is a DefaultExchangeHolder passes the check. The receiving side then calls DefaultExchangeHolder.unmarshal() on it without requiring the transferExchange option to be enabled - an asymmetric trust boundary, since the sending side gates ObjectMessage and transferExchange handling but the receiving side did not - writing every non-null field of the holder into the Exchange: the message body, the IN and OUT headers, the exchange properties, the variables, the exchange id and the exception. An attacker who can publish an ObjectMessage to a queue or topic consumed by an affected Camel application can therefore inject arbitrary Exchange state using only universally-trusted java.lang and java.util types, with no deserialization gadget chain required, to manipulate routing and headers, exchange properties and error handling. The same handling applies to camel-sjms and camel-sjms2, and to the JMS-family components built on JmsComponent and JmsBinding: camel-amqp, camel-activemq and camel-activemq6. This is a bypass of the CVE-2026-40860 fix rather than a flaw in it. This issue affects Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0; Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, JMS ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the JMS-family components (a new objectMessageEnabled option defaults to false at the component and endpoint level), so an incoming ObjectMessage - including a DefaultExchangeHolder payload - is no longer deserialized unless the option is explicitly enabled; only set objectMessageEnabled=true when the consumed JMS destination is fed exclusively by trusted producers. For deployments that cannot upgrade immediately, restrict publish access to the queues and topics consumed by Camel to trusted producers via JMS broker authorization, and do not expose JMS consumers that map ObjectMessage bodies to untrusted networks; a JMS-provider deserialization allow-list does not mitigate this specific bypass because the crafted payload uses only universally-trusted classes.

CVSS v3.1

Score 7.3high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected software

Apache Software Foundation/org.apache.camel:camel-jms
pkg:maven/Apache Software Foundation/org.apache.camel:camel-jms
Affected versions
>=3.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0
Apache Software Foundation/org.apache.camel:camel-sjms
pkg:maven/Apache Software Foundation/org.apache.camel:camel-sjms
Affected versions
>=3.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:21:54 UTC

Technical Analysis

The vulnerability arises in Apache Camel JMS components (camel-jms, camel-sjms, camel-amqp, camel-activemq, camel-activemq6) where the JmsBinding.extractBodyFromJms() method deserializes JMS ObjectMessage payloads when the mapJmsMessage option is enabled (default). A prior fix (CVE-2026-40860) implemented a class allow-list to restrict deserialization, but the class DefaultExchangeHolder, residing in the allowed org.apache.camel.** namespace, can be used to bypass this check. An attacker publishing a crafted ObjectMessage with a DefaultExchangeHolder payload can inject arbitrary Exchange state (message body, headers, properties, variables, exceptions) without requiring a gadget chain. This asymmetric trust boundary flaw allows manipulation of routing and error handling. The vulnerability affects Apache Camel versions 3.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0. The issue is resolved by upgrading to 4.21.0, 4.14.8, or 4.18.3, where ObjectMessage deserialization is disabled by default via a new objectMessageEnabled option. Mitigations for those who cannot upgrade include restricting JMS publish access to trusted producers and avoiding exposure of JMS consumers mapping ObjectMessage bodies to untrusted networks.

Potential Impact

An attacker able to publish JMS ObjectMessages to a queue or topic consumed by an affected Apache Camel application can inject arbitrary Exchange state, including message bodies, headers, properties, and exceptions. This can manipulate routing, headers, exchange properties, and error handling within the Camel application. The vulnerability bypasses prior deserialization allow-list protections by exploiting a trusted class in the allowed namespace. This can lead to unauthorized control over message processing flows and potentially disrupt application behavior.

Mitigation Recommendations

A fix is available by upgrading Apache Camel to version 4.21.0, 4.14.8 (for 4.14.x LTS), or 4.18.3 (for 4.18.x releases). These versions disable JMS ObjectMessage deserialization by default via the new objectMessageEnabled option, which must be explicitly enabled only when consuming JMS destinations fed exclusively by trusted producers. For deployments unable to upgrade immediately, restrict publish access to JMS queues and topics consumed by Camel to trusted producers using JMS broker authorization. Avoid exposing JMS consumers that map ObjectMessage bodies to untrusted networks. Note that JMS-provider deserialization allow-lists do not mitigate this bypass since the crafted payload uses only universally trusted classes.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-04T11:44:06.700Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6caa27e9c797192521bc

Added to database: 07/06/2026, 08:51:54 UTC

Last enriched: 07/06/2026, 09:21:54 UTC

Last updated: 07/07/2026, 00:01:18 UTC

Views: 14

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses