Camel RCE via deserialization (CVE-2026-40858)

Vendor-confirmed - CVE-2026-40858 is a high deserialization RCE in Apache Camel 4.0.0-4.19.0 that lets an attacker with write access to an Infinispan cache execute arbitrary code during normal aggregation operations. Patched in 4.20.0; 4.14.x users must upgrade to 4.14.7, and 4.18.x users to 4.18.2.

Overview

CVE-2026-40858 is a deserialization vulnerability in Apache Camel’s camel-infinispan component. The ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using java.io.ObjectInputStream without any ObjectInputFilter. This is a missing input validation issue that follows the same pattern as earlier Camel vulnerabilities CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747.

An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object. When the Camel application reads that object during normal operations, such as retrieving or recovering aggregated data, the malicious payload deserializes and executes arbitrary code in the context of the application.

Affected Versions

• Apache Camel 4.0.0 through 4.14.6 (4.14.x LTS)
• Apache Camel 4.15.0 through 4.18.1 (4.18.x release stream)
• Apache Camel 4.19.0 through 4.19.x

Impact

Successful exploitation grants the attacker arbitrary code execution on the server running the Camel application. This could lead to complete system compromise, data exfiltration, or lateral movement within the network. The CVSS 8.8 (High) rating reflects the network-based attack vector and low complexity, though it requires the attacker to already have write access to the Infinispan cache.

Remediation

Upgrade immediately based on your release stream:

• For 4.14.x LTS users: upgrade to 4.14.7
• For 4.18.x release stream users: upgrade to 4.18.2
• For all other users: upgrade to 4.20.0

The fix implements a valid ObjectInputFilter on the ObjectInputStream to reject deserialization of untrusted classes. Refer to the Apache JIRA ticket for the specific commit details implementing this fix.

Mitigations

Until a patch can be applied, restrict write access to the Infinispan cache to only trusted, authenticated users. Monitor cache access logs for unexpected write operations. This vulnerability cannot be triggered without the ability to write to the cache.

Security Insight

This is the third deserialization vulnerability in Apache Camel’s Infinispan integration, following CVE-2024-22369 and CVE-2024-23114. The recurrence suggests a systemic issue in how Camel handles serialized data from external caches. Organizations using Camel in environments that interact with shared or untrusted Infinispan caches should treat this component as a high-risk integration point and prioritize hardening around the ObjectInputFilter pattern. The vendor’s repeated use of java.io.ObjectInputStream without input filtering is concerning; security reviews of similar components across the codebase would be prudent.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs