Remote Code Execution Vulnerability in Apache Camel Infinispan Component
CVE-2026-40858

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40858?

The vulnerability in Apache Camel's Infinispan component arises from an insecure deserialization process involving ProtoStream. Specifically, the component employs java.io.ObjectInputStream to deserialize data from a remote Infinispan cache without utilizing an ObjectInputFilter, exposing the application to potential remote code execution. If an attacker can write to the Infinispan cache, they can craft a malicious serialized Java object. This object, when retrieved during aggregation operations such as 'get' or 'recover', can execute arbitrary code within the application context. Affected versions include Apache Camel from 4.0.0 prior to 4.14.7, from 4.15.0 prior to 4.18.2, and from 4.19.0 prior to 4.20.0. Users are advised to update to versions 4.20.0 or 4.14.7/4.18.2 as applicable to mitigate the risks.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.7

Apache Camel 4.15.0 < 4.18.2

Apache Camel 4.19.0 < 4.20.0

References

https://camel.apache.org/security/CVE-2026-40858.html

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Feng Ning from Innora Pte. Ltd.

CVE-2026-40858 Data

JSON