Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-43865— Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution

AI Predicted 9.8 Difficulty: Easy EPSS 0.80% · P52

Affected Version Matrix 3

VendorProductVersion RangeStatus
Apache Software FoundationApache Camel4.0.0< 4.14.8affected
4.15.0< 4.18.3affected
4.19.0< 4.21.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43865

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel's default configuration. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Camel 反序列化注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache camel是美国Apache基金会开源的一个企业集成模式框架。 Apache Camel存在反序列化注入漏洞,该漏洞源于Hazelcast组件在默认配置下未应用Java反序列化过滤器,导致攻击者可加入Hazelcast集群并发布特制序列化Java对象,从而在Camel节点上触发远程代码执行。以下版本受到影响:4.0.0版本至4.14.8之前版本、4.15.0版本至4.18.3之前版本和4.19.0版本至4.21.0之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Camel 4.0.0 ~ 4.14.8 -

II. Public POCs for CVE-2026-43865

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43865

登录查看更多情报信息。

Vendor Advisories for CVE-2026-43865 (1)

Same Patch Batch · Apache Software Foundation · 2026-07-06 · 39 CVEs total

CVE-2026-46584Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail
CVE-2026-48206Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP h
CVE-2026-48205Apache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed nam
CVE-2026-48204Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed n
CVE-2026-48203Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-
CVE-2026-46726Apache Camel Vertx Websocket: The inbound consumer maps externally-supplied WebSocket quer
CVE-2026-46592Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed name
CVE-2026-46591Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header a
CVE-2026-46590Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle manager
CVE-2026-46585Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETUR
CVE-2026-49086Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic
CVE-2026-46457Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange withou
CVE-2026-46456Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange with
CVE-2026-46455Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the
CVE-2026-46454Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange wi
CVE-2026-46453Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel
CVE-2026-42527Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables
CVE-2026-40859Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a
CVE-2026-40047Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argum
CVE-2026-56140Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStra

Showing top 20 of 39 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-43865

No comments yet


Leave a comment