Remote Code Execution Vulnerability in Apache Camel Infinispan Component
CVE-2026-40858

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40858?

The vulnerability in Apache Camel's Infinispan component arises from an insecure deserialization process involving ProtoStream. Specifically, the component employs java.io.ObjectInputStream to deserialize data from a remote Infinispan cache without utilizing an ObjectInputFilter, exposing the application to potential remote code execution. If an attacker can write to the Infinispan cache, they can craft a malicious serialized Java object. This object, when retrieved during aggregation operations such as 'get' or 'recover', can execute arbitrary code within the application context. Affected versions include Apache Camel from 4.0.0 prior to 4.14.7, from 4.15.0 prior to 4.18.2, and from 4.19.0 prior to 4.20.0. Users are advised to update to versions 4.20.0 or 4.14.7/4.18.2 as applicable to mitigate the risks.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.7

Apache Camel 4.15.0 < 4.18.2

Apache Camel 4.19.0 < 4.20.0

References

https://camel.apache.org/security/CVE-2026-40858.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Feng Ning from Innora Pte. Ltd.

CVE-2026-40858 Data

JSON