Remote Code Execution Vulnerability in Apache Camel JMS Component
CVE-2026-40860

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40860?

A vulnerability exists in the Apache Camel JMS Component where the deserialization of ObjectMessage payloads occurs without an ObjectInputFilter. This flaw could allow an attacker to publish a specially crafted ObjectMessage to a queue or topic consumed by a Camel application, resulting in remote code execution if a malicious class is present on the classpath. This issue primarily affects versions of Apache Camel between 3.0.0 and 4.14.6, 4.15.0 to 4.18.1, and 4.19.0 to 4.19.9. It is highly recommended that users upgrade to version 4.20.0 or higher, or to 4.14.7 for LTS users, to mitigate this vulnerability.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.7

Apache Camel 4.15.0 < 4.18.2

Apache Camel 4.19.0 < 4.20.0

References

https://camel.apache.org/security/CVE-2026-40860.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Venkatraman Kumar from Securin

CVE-2026-40860 Data

JSON