CVE-2026-40860— Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application T1203 · Exploitation for Client ExecutionGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40860
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Source: NVD (National Vulnerability Database)
Vulnerability Description
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Camel 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Camel是美国阿帕奇(Apache)基金会的一套开源的基于Enterprise Integration Pattern(企业整合模式,简称EIP)的集成框架。该框架提供企业集成模式的Java对象(POJO)的实现,且通过应用程序接口来配置路由和中介的规则。 Apache Camel 3.0.0版本至4.14.7之前版本、4.15.0版本至4.18.2之前版本和4.19.0版本至4.20.0之前版本存在代码问题漏洞,该漏洞源于camel-jms和camel-sjms组件反序列化JMS Obj
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Camel | 3.0.0 ~ 4.14.7 | - |
II. Public POCs for CVE-2026-40860
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40860
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-40860 (1)
Same Patch Batch · Apache Software Foundation · 2026-04-27 · 13 CVEs total
| CVE-2026-41409 | 9.8 CRITICAL | Apache MINA: CWE-502 Deserialization of Untrusted Data |
| CVE-2026-41635 | 9.8 CRITICAL | Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter |
| CVE-2026-40557 | Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also | |
| CVE-2026-41081 | Apache Storm Client: Anonymous principal assigned on TLS client certificate verification f | |
| CVE-2026-27172 | Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary | |
| CVE-2026-33453 | Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows S | |
| CVE-2026-33454 | Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code | |
| CVE-2026-40022 | Apache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel | |
| CVE-2026-40858 | Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository | |
| CVE-2026-40453 | Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-20 | |
| CVE-2026-40048 | Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager | |
| CVE-2026-40473 | Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP |
IV. Related Vulnerabilities
Same product: Apache Camel
- CVE-2026-47323
Apache Camel: Camel-CXF Message Header Injection via Missing - CVE-2026-27172
Apache Camel: Unsafe Java deserialization in camel-consul Co - CVE-2026-33453
Apache Camel: CoAP URI Query Parameter to Exchange Header In - CVE-2026-33454
Apache Camel: Inbound Header Filter Missing in MailHeaderFil - CVE-2026-40858
Apache Camel: Camel-Infinispan: Unsafe Deserialization in Re
Same vendor: Apache Software Foundation
- CVE-2026-48589
Apache Shiro: Jakarta EE open redirect via untrusted Referer - CVE-2026-44598
Apache Shiro Jakarta EE module: Open redirect and SSRF (requ - CVE-2026-43828
Apache Shiro: Shiro's native session and rememberMe cookies - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure
Same weakness: CWE-502
- CVE-2026-9497
changmingxie tcc-transaction Fastjson AutoType REST API Fast - CVE-2026-41104
Microsoft Planetary Computer Pro Information Disclosure Vuln - CVE-2026-45659
Microsoft SharePoint Remote Code Execution Vulnerability - CVE-2026-9291
Insecure Deserialization in Amazon Braket SDK Job Results Pr - CVE-2026-8135
Concrete CMS 9.5.0 and below is vulnerable to RCE due to ins
V. Comments for CVE-2026-40860
No comments yet