Camel MINA unauthenticated RCE (CVE-2026-40473)

Vendor-confirmed - CVE-2026-40473 is a high-severity deserialization flaw in Apache Camel’s camel-mina component that grants unauthenticated remote code execution when a MINA consumer receives crafted serialized objects over TCP or UDP. Patched in Camel 4.20.0; update systems immediately.

Overview

CVE-2026-40473 affects the MinaConverter.toObjectInput(IoBuffer) type converter in Apache Camel’s camel-mina component. The converter wraps an inbound IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. This omission allows an attacker to send a crafted serialized Java object to a MINA TCP or UDP consumer port. When a Camel route processes the message body (e.g., via getBody(ObjectInput.class) or @Body ObjectInput annotation), the unsafe readObject() call can trigger arbitrary code execution in the application’s context.

The vulnerability is exploitable over the network with low complexity. An attacker requires no user interaction and only low privileges to send a malicious payload. The CVSS score is 8.8 (HIGH).

Affected Versions

• Apache Camel 3.x: Versions 3.0.0 to 4.14.5 (fixed in 4.14.6 for LTS users)
• Apache Camel 4.x: Versions 4.15.0 to 4.18.1 (fixed in 4.18.2)
• Apache Camel 4.x: Versions 4.19.0 to 4.19.9 (fixed in 4.20.0)

Users running earlier versions or unreleased builds should assume they are vulnerable.

Remediation and Mitigation

Upgrade immediately to the appropriate fixed version:

• Latest stream: Upgrade to Apache Camel 4.20.0
• 4.14.x LTS stream: Upgrade to 4.14.6
• 4.18.x stream: Upgrade to 4.18.2

If immediate patching is not possible, restrict network access to MINA consumer ports to trusted hosts only. Review any Camel routes that use camel-mina as a TCP or UDP consumer and avoid requesting ObjectInput type conversions unless absolutely necessary. As a defense-in-depth measure, consider implementing a Web Application Firewall (WAF) or network intrusion detection system to inspect serialized Java payloads.

Security Insight

This vulnerability belongs to a long lineage of Java deserialization flaws where frameworks wrap incoming data in an untrusted ObjectInputStream without a filter - reminiscent of the 2015 Apache Commons Collections RCE wave (CVE-2015-7501). What makes CVE-2026-40473 notable is its persistent rediscovery in modern frameworks: twelve years after the initial Ysoserial research, Camel still shipped a converter that calls readObject() on network-borne data. This pattern suggests that many integration frameworks may harbor similar unfiltered deserialization pathways in type-converter code paths, a blind spot that threat actors should be expected to probe.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs