Deserialization Vulnerability in Apache Camel Hazelcast Component
CVE-2026-43865
What is CVE-2026-43865?
A deserialization vulnerability exists in the Apache Camel Hazelcast component, where untrusted data can be deserialized without adequate filtering. The component's default configuration allows objects received over the Hazelcast cluster protocol to be deserialized using the Java serialization mechanism. If an attacker gains access to the Hazelcast cluster, they can send crafted serialized Java objects, leading to potential remote code execution on all nodes running Camel instances. This vulnerability affects configurations that utilize the hazelcast consumer across multiple routes and is enabled without requiring specific setup. To mitigate, users should upgrade to recommended versions or implement deserialization filters and security measures.
Affected Version(s)
Apache Camel 4.0.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0