Deserialization Vulnerability in Apache Camel JMS Component
CVE-2026-43866

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43866?

A deserialization vulnerability exists in the Apache Camel JMS component where the JmsBinding.extractBodyFromJms() method can integrate untrusted data if the mapJmsMessage option is enabled, allowing attackers to publish arbitrary messages. This flaw permits precise manipulation of routing, headers, exchange properties, and error handling without requiring complex deserialization chains. Upgrading to version 4.21.0 or later is highly recommended, with careful management of ObjectMessage consumption to ensure security.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

gaorenyusi
Andrea Cosentino
.