Deserialization Vulnerability in Apache Camel Components
CVE-2026-42527
What is CVE-2026-42527?
A deserialization vulnerability exists in Apache Camel components, allowing attackers to send maliciously crafted Java-serialized payloads. When affected consumers deserialize a HashMap that includes java.net.URL keys, the JVM may perform DNS queries to an attacker-controlled host. This happens due to the ineffective filtering of the default ObjectInputFilter pattern, which permits classes performing network I/O. The issue is most pronounced in the camel-jms family, where deserialization operations are performed unconditionally. Users are advised to upgrade their Apache Camel versions or to implement a secure JMS-provider-side allow-list to mitigate potential attacks.
Affected Version(s)
Apache Camel 4.14.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0