Unsafe Deserialization in Camel Infinispan Product by Red Hat
CVE-2026-6857

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Apache Camel 4 For Quarkus 3; Red Hat Build Of Apache Camel For Spring Boot 4; Red Hat Fuse 7; Red Hat Jboss Enterprise Application Platform 8
Vendor: CVE Published:; 22 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6857?

A vulnerability has been identified in the Camel Infinispan product from Red Hat. This flaw involves unsafe deserialization within the ProtoStream remote aggregation repository. A remote attacker, with minimal privileges, could exploit this weakness by sending specially crafted data. Consequently, this could lead to arbitrary code execution, granting the attacker complete control over the compromised system, thereby jeopardizing the system's confidentiality, integrity, and availability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6857
Created by HORKimhab

References

https://access.redhat.com/security/cve/CVE-2026-6857

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2460003

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 16, 2026
👾
Exploit known to exist
May 16, 2026
Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue.

CVE-2026-6857 Data

JSON