Deserialization Vulnerability in Apache Camel Hazelcast Component
CVE-2026-43865

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43865?

A deserialization vulnerability exists in the Apache Camel Hazelcast component, where untrusted data can be deserialized without adequate filtering. The component's default configuration allows objects received over the Hazelcast cluster protocol to be deserialized using the Java serialization mechanism. If an attacker gains access to the Hazelcast cluster, they can send crafted serialized Java objects, leading to potential remote code execution on all nodes running Camel instances. This vulnerability affects configurations that utilize the hazelcast consumer across multiple routes and is enabled without requiring specific setup. To mitigate, users should upgrade to recommended versions or implement deserialization filters and security measures.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

gaorenyusi
.