CVE-2026-40860
Unsafe JMS ObjectMessage Deserialization in Apache Camel Enables RCE
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel | 4.19.0 |
| apache | camel | From 4.15.0 (inc) to 4.18.2 (exc) |
| apache | camel | From 3.0.0 (inc) to 4.14.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Apache Camel components such as camel-jms, camel-sjms, camel-sjms2, and camel-amqp. It occurs because the method JmsBinding.extractBodyFromJms() deserializes the payload of incoming JMS ObjectMessage instances without applying any security filters like ObjectInputFilter, class allowlist, or denylist.
Since the mapJmsMessage option is enabled by default and Camel acts as a JMS consumer, an attacker who can send a specially crafted ObjectMessage to a queue or topic consumed by a vulnerable Camel application could exploit this to execute remote code. This is possible if a suitable deserialization gadget chain is present on the classpath.
The vulnerability affects multiple versions of Apache Camel from 3.0.0 up to but not including 4.14.7, from 4.15.0 up to but not including 4.18.2, and from 4.19.0 up to but not including 4.20.0.
How can this vulnerability impact me? :
If you are using a vulnerable version of Apache Camel and have the mapJmsMessage option enabled (which is the default), an attacker could send a crafted JMS ObjectMessage to your application's queue or topic.
This could lead to remote code execution on your system if a suitable deserialization gadget chain exists on the classpath, potentially allowing the attacker to take control of your application or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are strongly advised to upgrade Apache Camel to a fixed version that addresses the issue.
- Upgrade to version 4.20.0 if using versions after 4.19.0.
- If using the 4.14.x long-term support (LTS) stream, upgrade to 4.14.7.
- If using the 4.18.x release stream, upgrade to 4.18.2.