Apache Camel CVE-2026-40858 Unsafe Deserialization Vulnerability Advisory

Apache Camel Security Advisory: CVE-2026-40858 Vulnerability Overview Severity: High Summary: An insecure deserialization vulnerability exists in the Camel-Infinispan component. Description: The remote aggregation repository based on ProtoStream uses for deserialization when reading data from a remote Infinispan cache, without applying any . If an attacker can write data to the Infinispan cache used by the Camel application, they can inject malicious serialized Java objects. When these objects are read during normal aggregation repository operations (such as or ), it results in arbitrary code execution within the application context. Affected Versions Affected Versions: - 4.0.0 to 4.14.7 (exclusive) - 4.15.0 to 4.18.2 (exclusive) - 4.19.0 to 4.20.0 (exclusive) Remediation Fixed Versions: 4.14.7, 4.18.2, 4.20.0 Mitigation: - Users are advised to upgrade to version 4.20.0. - If using the 4.14.x LTS release branch, it is recommended to upgrade to 4.14.7. - If using the 4.18.x release branch, it is recommended to upgrade to 4.18.2. Additional Information Discoverer: Feng Ning (from Innora Pte. Ltd.) References: - JIRA Ticket: https://issues.apache.org/jira/browse/CAMEL-23322 - PGP signed advisory data: CVE-2026-40858.txt.asc - Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-40858

Goal Reached Thanks to every supporter — we hit 100%!

Apache Camel CVE-2026-40858 Unsafe Deserialization Vulnerability Advisory