Deserialization Flaw in Apache Camel Consul Component
CVE-2026-27172

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-27172?

The Consul component of Apache Camel contains a deserialization vulnerability that allows for potentially malicious Java objects to be injected and executed. When an attacker gains write access to the Consul KV store, they can insert such objects, leading to arbitrary code execution when Camel subsequently performs a lookup against the affected registry. This vulnerability exists in versions prior to 4.14.6 and 4.18.1, missing prior patching addressed in previously issued CVEs.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.6

Apache Camel 4.15.0 < 4.18.1

References

https://camel.apache.org/security/CVE-2026-27172.html

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Andrea Cosentino from Apache Software Foundation

CVE-2026-27172 Data

JSON