Vulnerability-Lookup

RHSA-2026:22453

Vulnerability from csaf_redhat - Published: 2026-06-02 11:27 - Updated: 2026-06-03 11:38

Summary

Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA)

Severity

Important

Notes

Topic: An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Important.

Details: An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products: * camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data [rhboac-camel-quarkus-3] (CVE-2026-40858) * camel-infinispan-common: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data [rhboac-camel-quarkus-3] (CVE-2026-40858) * camel-amqp: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage [rhboac-camel-quarkus-3] (CVE-2026-40860) * camel-jms: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage [rhboac-camel-quarkus-3] (CVE-2026-40860) * camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization [rhboac-camel-quarkus-3] (CVE-2026-6857) * jetty-http: HTTP request smuggling via chunked extension quoted-string parsing [rhboac-camel-quarkus-3] (CVE-2026-2332)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-2332

A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_quarkus:3.33`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-6857

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_quarkus:3.33`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-40858

A flaw was found in the camel-infinispan component of Apache Camel. A remote attacker, with the ability to write to the Infinispan cache, can inject a specially crafted serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitrary code execution within the application. This vulnerability stems from the component's use of java.io.ObjectInputStream without proper input filtering.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_quarkus:3.33`	—	Vendor Fix fix

Threats

Impact Important

CVE-2026-40860

A flaw was found in Apache Camel. A remote attacker could exploit a deserialization vulnerability by sending a specially crafted Java Message Service (JMS) ObjectMessage to a Camel application acting as a JMS consumer. This vulnerability arises because the application deserializes the message payload without proper validation. Successful exploitation could lead to remote code execution on the system consuming the message, provided a deserialization gadget chain is present on the classpath.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_quarkus:3.33`	—	Vendor Fix fix

Threats

Impact Important

References

32 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:22453	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-40858	external
https://access.redhat.com/security/cve/CVE-2026-40860	external
https://access.redhat.com/security/cve/CVE-2026-6857	external
https://access.redhat.com/security/cve/CVE-2026-2332	external
https://bugzilla.redhat.com/show_bug.cgi?id=2458187	external
https://bugzilla.redhat.com/show_bug.cgi?id=2460003	external
https://bugzilla.redhat.com/show_bug.cgi?id=2463172	external
https://bugzilla.redhat.com/show_bug.cgi?id=2463179	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-2332	self
https://bugzilla.redhat.com/show_bug.cgi?id=2458187	external
https://www.cve.org/CVERecord?id=CVE-2026-2332	external
https://nvd.nist.gov/vuln/detail/CVE-2026-2332	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assignmen…	external
https://access.redhat.com/security/cve/CVE-2026-6857	self
https://bugzilla.redhat.com/show_bug.cgi?id=2460003	external
https://www.cve.org/CVERecord?id=CVE-2026-6857	external
https://nvd.nist.gov/vuln/detail/CVE-2026-6857	external
https://access.redhat.com/security/cve/CVE-2026-40858	self
https://bugzilla.redhat.com/show_bug.cgi?id=2463179	external
https://www.cve.org/CVERecord?id=CVE-2026-40858	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40858	external
https://camel.apache.org/security/CVE-2026-40858.html	external
https://access.redhat.com/security/cve/CVE-2026-40860	self
https://bugzilla.redhat.com/show_bug.cgi?id=2463172	external
https://www.cve.org/CVERecord?id=CVE-2026-40860	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40860	external
http://www.openwall.com/lists/oss-security/2026/0…	external
https://camel.apache.org/security/CVE-2026-40860.html	external

Acknowledgments

Innora Pte. Ltd. Feng Ning

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Important.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n*  camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data [rhboac-camel-quarkus-3] (CVE-2026-40858)\n*  camel-infinispan-common: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data [rhboac-camel-quarkus-3] (CVE-2026-40858)\n*  camel-amqp: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage [rhboac-camel-quarkus-3] (CVE-2026-40860)\n*  camel-jms: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage [rhboac-camel-quarkus-3] (CVE-2026-40860)\n*  camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization [rhboac-camel-quarkus-3] (CVE-2026-6857)\n*  jetty-http: HTTP request smuggling via chunked extension quoted-string parsing [rhboac-camel-quarkus-3] (CVE-2026-2332)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:22453",
        "url": "https://access.redhat.com/errata/RHSA-2026:22453"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40858",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40858"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40860",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40860"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6857",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6857"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-2332",
        "url": "https://access.redhat.com/security/cve/CVE-2026-2332"
      },
      {
        "category": "external",
        "summary": "2458187",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458187"
      },
      {
        "category": "external",
        "summary": "2460003",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003"
      },
      {
        "category": "external",
        "summary": "2463172",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463172"
      },
      {
        "category": "external",
        "summary": "2463179",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463179"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_22453.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.1.GA)",
    "tracking": {
      "current_release_date": "2026-06-03T11:38:39+00:00",
      "generator": {
        "date": "2026-06-03T11:38:39+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2026:22453",
      "initial_release_date": "2026-06-02T11:27:09+00:00",
      "revision_history": [
        {
          "date": "2026-06-02T11:27:09+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-02T11:27:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-03T11:38:39+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
                "product": {
                  "name": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
                  "product_id": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apache_camel_quarkus:3.33"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Build of Apache Camel"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-2332",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-04-14T12:01:05.768902+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2458187"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to send a crafted payload to a Jetty server that is behind a reverse proxy or load balancer, specifically with a chunk extension that includes an unclosed double quote before the CRLF to trick the parser. This flaw allows an attacker to bypass security controls, cause cache poisoning or gain unauthorized endpoint access. Due to these reasons, this vulnerability has been rated with an important severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "RHBZ#2458187",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458187"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-2332",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89",
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"
        }
      ],
      "release_date": "2026-04-14T10:59:10.193000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T11:27:09+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22453"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Feng Ning"
          ],
          "organization": "Innora Pte. Ltd."
        }
      ],
      "cve": "CVE-2026-6857",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-04-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2460003"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has an Important impact on Red Hat products utilizing `camel-infinispan` for remote aggregation. The flaw stems from unsafe deserialization within the ProtoStream remote aggregation repository, which could lead to remote code execution. This affects Red Hat Enterprise Application Platform and Red Hat JBoss Fuse when configured to use `camel-infinispan`.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6857"
        },
        {
          "category": "external",
          "summary": "RHBZ#2460003",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6857",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6857"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6857",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6857"
        }
      ],
      "release_date": "2026-04-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T11:27:09+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22453"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization"
    },
    {
      "cve": "CVE-2026-40858",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-04-27T10:01:35.538625+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2463179"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the camel-infinispan component of Apache Camel. A remote attacker, with the ability to write to the Infinispan cache, can inject a specially crafted serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitrary code execution within the application. This vulnerability stems from the component\u0027s use of java.io.ObjectInputStream without proper input filtering.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40858"
        },
        {
          "category": "external",
          "summary": "RHBZ#2463179",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463179"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40858",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40858"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40858",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40858"
        },
        {
          "category": "external",
          "summary": "https://camel.apache.org/security/CVE-2026-40858.html",
          "url": "https://camel.apache.org/security/CVE-2026-40858.html"
        }
      ],
      "release_date": "2026-04-27T09:38:55.466000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T11:27:09+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22453"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data"
    },
    {
      "cve": "CVE-2026-40860",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-04-27T10:01:11.044535+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2463172"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Camel. A remote attacker could exploit a deserialization vulnerability by sending a specially crafted Java Message Service (JMS) ObjectMessage to a Camel application acting as a JMS consumer. This vulnerability arises because the application deserializes the message payload without proper validation. Successful exploitation could lead to remote code execution on the system consuming the message, provided a deserialization gadget chain is present on the classpath.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Apache Camel: camel-jms: camel-sjms: camel-sjms2: camel-amqp: camel-activemq: camel-activemq6: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40860"
        },
        {
          "category": "external",
          "summary": "RHBZ#2463172",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463172"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40860",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40860"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40860",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40860"
        },
        {
          "category": "external",
          "summary": "http://www.openwall.com/lists/oss-security/2026/04/26/10",
          "url": "http://www.openwall.com/lists/oss-security/2026/04/26/10"
        },
        {
          "category": "external",
          "summary": "https://camel.apache.org/security/CVE-2026-40860.html",
          "url": "https://camel.apache.org/security/CVE-2026-40860.html"
        }
      ],
      "release_date": "2026-04-27T08:03:19.616000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-02T11:27:09+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:22453"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Apache Camel: camel-jms: camel-sjms: camel-sjms2: camel-amqp: camel-activemq: camel-activemq6: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage"
    }
  ]
}

CVE-2026-2332 (GCVE-0-2026-2332)

Vulnerability from cvelistv5 – Published: 2026-04-14 10:59 – Updated: 2026-04-15 03:58

Title

HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Summary

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')

Assigner

eclipse

References

2 references

URL	Tags
https://github.com/jetty/jetty.project/security/a…	third-party-advisory
https://gitlab.eclipse.org/security/cve-assignmen…	issue-tracking

Impacted products

1 product

Vendor	Product	Version
Eclipse Foundation	Eclipse Jetty	Affected: 12.1.0 , ≤ 12.1.6 (semver) Affected: 12.0.0 , ≤ 12.0.32 (semver) Affected: 11.0.0 , ≤ 11.0.27 (semver) Affected: 10.0.0 , ≤ 10.0.27 (semver) Affected: 9.4.0 , ≤ 9.4.59 (semver)

Credits

https://github.com/xclow3n

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2332",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T03:58:12.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "pkg://maven/org.eclipse.jetty/jetty-http",
          "product": "Eclipse Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "12.1.6",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.0.32",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.27",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.4.59",
              "status": "affected",
              "version": "9.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "https://github.com/xclow3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan\u003ehttps://w4ke.info/2025/06/18/funky-chunks.html\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003ehttps://w4ke.info/2025/10/29/funky-chunks-2.html\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003eJetty terminates chunk extension parsing at\u0026nbsp;\u003ccode\u003e\\r\\n\u003c/code\u003e\u0026nbsp;inside quoted strings instead of treating this as an error.\u003cbr\u003e\u003cbr\u003e\n\u003cpre\u003ePOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\u003c/pre\u003e\n\n\u003cdiv\u003e\u003cbr\u003eNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n  *  https://w4ke.info/2025/06/18/funky-chunks.html\n\n  *  https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at\u00a0\\r\\n\u00a0inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T10:59:10.193Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Request Smuggling via Chunked Extension Quoted-String Parsing",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-2332",
    "datePublished": "2026-04-14T10:59:10.193Z",
    "dateReserved": "2026-02-11T09:56:25.879Z",
    "dateUpdated": "2026-04-15T03:58:12.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40858 (GCVE-0-2026-40858)

Vulnerability from cvelistv5 – Published: 2026-04-27 09:38 – Updated: 2026-04-28 03:55

Title

Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository

Summary

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

1 reference

URL	Tags
https://camel.apache.org/security/CVE-2026-40858.html	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Camel	Affected: 4.0.0 , < 4.14.7 (semver) Affected: 4.15.0 , < 4.18.2 (semver) Affected: 4.19.0 , < 4.20.0 (semver)

Credits

Feng Ning from Innora Pte. Ltd.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40858",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T03:55:36.092Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.camel:camel-infinispan",
          "product": "Apache Camel",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.14.7",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.18.2",
              "status": "affected",
              "version": "4.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20.0",
              "status": "affected",
              "version": "4.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Feng Ning from Innora Pte. Ltd."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe camel-infinispan component\u0027s ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.\u003c/p\u003e\u003cp\u003eThe JIRA ticket: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://issues.apache.org/jira/browse/CAMEL-23322\"\u003ehttps://issues.apache.org/jira/browse/CAMEL-23322\u003c/a\u003e refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "The camel-infinispan component\u0027s ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.\n\nThe JIRA ticket:  https://issues.apache.org/jira/browse/CAMEL-23322  refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T09:38:55.466Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://camel.apache.org/security/CVE-2026-40858.html"
        }
      ],
      "source": {
        "defect": [
          "CAMEL-23322"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40858",
    "datePublished": "2026-04-27T09:38:55.466Z",
    "dateReserved": "2026-04-15T12:16:41.226Z",
    "dateUpdated": "2026-04-28T03:55:36.092Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40860 (GCVE-0-2026-40860)

Vulnerability from cvelistv5 – Published: 2026-04-27 08:03 – Updated: 2026-04-28 03:55

Title

Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

Summary

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

2 references

URL	Tags
https://camel.apache.org/security/CVE-2026-40860.html	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Camel	Affected: 3.0.0 , < 4.14.7 (semver) Affected: 4.15.0 , < 4.18.2 (semver) Affected: 4.19.0 , < 4.20.0 (semver)

Credits

Venkatraman Kumar from Securin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-27T08:55:18.390Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/26/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T03:55:40.595Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.camel:camel-jms",
          "product": "Apache Camel",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.14.7",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.18.2",
              "status": "affected",
              "version": "4.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20.0",
              "status": "affected",
              "version": "4.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Venkatraman Kumar from Securin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eJmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.\u003c/p\u003e"
            }
          ],
          "value": "JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6.\n\nThis issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T08:03:19.616Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://camel.apache.org/security/CVE-2026-40860.html"
        }
      ],
      "source": {
        "defect": [
          "CAMEL-23321"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40860",
    "datePublished": "2026-04-27T08:03:19.616Z",
    "dateReserved": "2026-04-15T12:44:39.673Z",
    "dateUpdated": "2026-04-28T03:55:40.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6857 (GCVE-0-2026-6857)

Vulnerability from cvelistv5 – Published: 2026-04-22 12:55 – Updated: 2026-06-02 17:18

Title

Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization

Summary

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

redhat

References

4 references

URL	Tags
https://access.redhat.com/errata/RHSA-2026:17668	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22453	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-6857	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2460003	issue-trackingx_refsource_REDHAT

Impacted products

6 products

Vendor	Product	Version
Red Hat	Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14	cpe:/a:redhat:apache_camel_spring_boot:4.18
Red Hat	Red Hat Build of Apache Camel 4.18 for Quarkus 3.33	cpe:/a:redhat:apache_camel_quarkus:3.33
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3	cpe:/a:redhat:camel_quarkus:3
Red Hat	Red Hat Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat JBoss Enterprise Application Platform 8	cpe:/a:redhat:jboss_enterprise_application_platform:8
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	cpe:/a:redhat:jbosseapxp

Date Public

2026-04-13 00:00

Credits

Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6857",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:34:17.880468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:34:30.098Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_spring_boot:4.18"
          ],
          "defaultStatus": "unaffected",
          "packageName": "camel-infinispan",
          "product": "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_quarkus:3.33"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3"
          ],
          "defaultStatus": "affected",
          "packageName": "camel-infinispan",
          "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "affected",
          "packageName": "camel-infinispan",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "camel-infinispan",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "unaffected",
          "packageName": "camel-infinispan",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue."
        }
      ],
      "datePublic": "2026-04-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T17:18:45.969Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:17668",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:17668"
        },
        {
          "name": "RHSA-2026:22453",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:22453"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-6857"
        },
        {
          "name": "RHBZ#2460003",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-13T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-13T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-6857",
    "datePublished": "2026-04-22T12:55:00.791Z",
    "dateReserved": "2026-04-22T12:43:14.958Z",
    "dateUpdated": "2026-06-02T17:18:45.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:22453

CVE-2026-2332 (GCVE-0-2026-2332)

CVE-2026-40858 (GCVE-0-2026-40858)

CVE-2026-40860 (GCVE-0-2026-40860)

CVE-2026-6857 (GCVE-0-2026-6857)

Tags

Sightings

Nomenclature