CVE-2026-40473

Published: Apr 27, 2026 Last Modified: Apr 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0012

Percentile

0,3th

Updated

EPSS Score Trend (Last 4 Days)

502

Deserialization of Untrusted Data

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Other

Potential Impacts:

Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context

Applicable Platforms

Languages: Java, JavaScript, PHP, Python, Ruby

Technologies: AI/ML, ICS/OT, Not Technology-Specific

Likelihood of Exploit: Medium

View CWE Details

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version Range Affected

From 3.0.0 (inclusive)

To 4.14.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version Range Affected

From 4.15.0 (inclusive)

To 4.18.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version 4.19.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

http://www.openwall.com/lists/oss-security/2026/04/26/8

https://camel.apache.org/security/CVE-2026-40473.html

CVE-2026-40473

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 4 Days)

Deserialization of Untrusted Data

Common Consequences

Applicable Platforms

Camel by Apache

Product Information

Camel by Apache

Product Information

Camel by Apache

Product Information

Iscriviti alla newsletter