Deserialization of Untrusted Data Vulnerability in Apache Camel by Apache
CVE-2026-40859
What is CVE-2026-40859?
A deserialization vulnerability has been identified in the Apache Camel framework, specifically in the camel-vertx-http component. The flaw arises from improper handling of HTTP response bodies containing the Content-Type application/x-java-serialized-object. When configured with certain options, an attacker with control over the backend service can craft malicious serialized objects that exploit this flaw, potentially leading to remote code execution on the vulnerable application host. This vulnerability can be particularly concerning in scenarios where the application communicates over unencrypted connections, making it susceptible to man-in-the-middle attacks. Users are advised to upgrade to the latest versions of Apache Camel and adopt secure configurations to mitigate the risk.
Affected Version(s)
Apache Camel 4.0.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.20.0