Deserialization of Untrusted Data Vulnerability in Apache Camel by Apache
CVE-2026-40859

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-40859?

A deserialization vulnerability has been identified in the Apache Camel framework, specifically in the camel-vertx-http component. The flaw arises from improper handling of HTTP response bodies containing the Content-Type application/x-java-serialized-object. When configured with certain options, an attacker with control over the backend service can craft malicious serialized objects that exploit this flaw, potentially leading to remote code execution on the vulnerable application host. This vulnerability can be particularly concerning in scenarios where the application communicates over unencrypted connections, making it susceptible to man-in-the-middle attacks. Users are advised to upgrade to the latest versions of Apache Camel and adopt secure configurations to mitigate the risk.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.20.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar from Securin
.