Deserialization Vulnerability in Apache Camel Components
CVE-2026-42527

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-42527?

A deserialization vulnerability exists in Apache Camel components, allowing attackers to send maliciously crafted Java-serialized payloads. When affected consumers deserialize a HashMap that includes java.net.URL keys, the JVM may perform DNS queries to an attacker-controlled host. This happens due to the ineffective filtering of the default ObjectInputFilter pattern, which permits classes performing network I/O. The issue is most pronounced in the camel-jms family, where deserialization operations are performed unconditionally. Users are advised to upgrade their Apache Camel versions or to implement a secure JMS-provider-side allow-list to mitigate potential attacks.

Affected Version(s)

Apache Camel 4.14.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar from Securin
Yu Bao from Paypal
.