Deserialization Flaw in Apache Camel Consul Component
CVE-2026-27172

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-27172?

The Consul component of Apache Camel contains a deserialization vulnerability that allows for potentially malicious Java objects to be injected and executed. When an attacker gains write access to the Consul KV store, they can insert such objects, leading to arbitrary code execution when Camel subsequently performs a lookup against the affected registry. This vulnerability exists in versions prior to 4.14.6 and 4.18.1, missing prior patching addressed in previously issued CVEs.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.6

Apache Camel 4.15.0 < 4.18.1

References

https://camel.apache.org/security/CVE-2026-27172.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Andrea Cosentino from Apache Software Foundation

CVE-2026-27172 Data

JSON