CVE-2026-40860

Published: Apr 27, 2026 Last Modified: Apr 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,8
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6.

This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0066
Percentile
0,7th
Updated

EPSS Score Trend (Last 4 Days)

502

Deserialization of Untrusted Data

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context
Applicable Platforms
Languages: Java, JavaScript, PHP, Python, Ruby
Technologies: AI/ML, ICS/OT, Not Technology-Specific
Likelihood of Exploit: Medium
View CWE Details
Application

Camel by Apache

Product Information
Vendor Apache
Product Camel
Version Range Affected
From 4.15.0 (inclusive)
To 4.18.2 (exclusive)
cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Camel by Apache

Product Information
Vendor Apache
Product Camel
Version Range Affected
From 3.0.0 (inclusive)
To 4.14.7 (exclusive)
cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Camel by Apache

Product Information
Vendor Apache
Product Camel
Version 4.19.0
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://www.openwall.com/lists/oss-security/2026/04/26/10
http://www.openwall.com/lists/oss-security/2026/04/26/10
https://camel.apache.org/security/CVE-2026-40860.html
https://camel.apache.org/security/CVE-2026-40860.html