CVE-2026-6857

Vendor	Product	Version / Range
apache	camel-infinispan	4.10.0
infinispan	infinispan	15.1.4
apache	camel-infinispan	*

CWE ID	Description
CWE-502	The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Can you explain this vulnerability to me?

This vulnerability is a high-severity remote code execution flaw found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

This vulnerability allows the attacker to gain full control over the system, impacting its confidentiality, integrity, and availability.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity remote code execution vulnerability found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize() which uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter. This lack of filtering allows an attacker to send specially crafted data that gets deserialized unsafely, enabling remote code execution.

How can this vulnerability impact me? :

An attacker with low privileges can exploit this vulnerability remotely by sending specially crafted data to the affected system. Successful exploitation leads to arbitrary code execution, allowing the attacker to gain full control over the system. This compromises the system's confidentiality, integrity, and availability.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a remote attacker to execute arbitrary code, leading to full control over the affected system. Such a compromise impacts the confidentiality, integrity, and availability of data and systems.

Because of this, organizations using the affected software may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Exploitation of this vulnerability could result in unauthorized access to personal or protected health information, potentially leading to data breaches and regulatory violations.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to arbitrary code execution by a remote attacker with low privileges.

This means the attacker could gain full control over the affected system.

Confidentiality impact: The attacker could access sensitive data.
Integrity impact: The attacker could modify or corrupt data.
Availability impact: The attacker could disrupt system operations or cause denial of service.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This allows a remote attacker with low privileges to send specially crafted data that leads to arbitrary code execution on the affected system.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, as the attacker can manipulate data, disrupt services, or access sensitive information.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks such as data breaches, system manipulation, or denial of service.

Can you explain this vulnerability to me?

This vulnerability is a high-severity remote code execution flaw found in the camel-infinispan component. It is caused by unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, gaining full control over the affected system.

This compromises the system's confidentiality, integrity, and availability, potentially leading to data breaches, system manipulation, or denial of service.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Integrity violations through unauthorized code execution
Availability impact by potentially disrupting system operations

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely on the affected system.

As a result, the attacker can gain full control over the system, which compromises its confidentiality, integrity, and availability.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity remote code execution vulnerability found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize() which uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter.

This lack of filtering allows an attacker with low privileges to send specially crafted data that gets deserialized unsafely, enabling them to execute arbitrary code remotely on the affected system.

This vulnerability has been verified on Apache Camel version 4.10.0 combined with Infinispan version 15.1.4 and follows a similar unsafe deserialization pattern seen in previous CVEs.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected system, potentially gaining full control over it.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations or cause denial of service.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Integrity breaches by unauthorized modification of data or system state
Availability impact through potential system disruption or denial of service

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize() which uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter.

To mitigate this vulnerability, immediate steps would typically include applying patches or updates provided by the vendor that address this unsafe deserialization issue.

Since the vulnerability has been verified on Apache Camel version 4.10.0 combined with Infinispan version 15.1.4, upgrading to a fixed version or applying security patches for these components is recommended.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality by accessing sensitive data.
Integrity violations by modifying or corrupting data.
Availability issues by disrupting or disabling system operations.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, effectively gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches, system manipulation, or denial of service.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely on the affected system.

As a result, the attacker can gain full control over the system, compromising its confidentiality, integrity, and availability.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository of camel-infinispan, specifically in the method DefaultExchangeHolderUtils.deserialize() using ClassLoadingAwareObjectInputStream.readObject() without an ObjectInputFilter.

Detection would typically involve monitoring for suspicious or unexpected deserialization activity or anomalous network traffic targeting the ProtoStream remote aggregation repository interfaces.

However, no specific detection commands or signatures are provided in the available resources.

What immediate steps should I take to mitigate this vulnerability?

The provided resources do not specify immediate mitigation steps for this vulnerability.

General best practices for unsafe deserialization vulnerabilities include applying patches or updates from the vendor, restricting network access to vulnerable services, and implementing input validation or deserialization filters if possible.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: attacker can access sensitive data.
Integrity impact: attacker can modify or corrupt data.
Availability impact: attacker can disrupt or disable system services.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Can you explain this vulnerability to me?

This vulnerability is a high-severity remote code execution flaw found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize().

The issue occurs because the deserialization process uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, effectively gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt or disable system operations.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, allowing untrusted data to be deserialized.

This flaw enables a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, allowing untrusted data to be deserialized.

A remote attacker with low privileges can exploit this by sending specially crafted data, which can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository of camel-infinispan, specifically in the method DefaultExchangeHolderUtils.deserialize(). Detection would require monitoring for suspicious deserialization activity or attempts to send specially crafted data to this component.

No specific detection commands or network signatures are provided in the available resources.

What immediate steps should I take to mitigate this vulnerability?

The resource does not provide explicit mitigation steps or patches.

However, since the vulnerability is caused by unsafe deserialization without an ObjectInputFilter, immediate mitigation could involve applying security updates or patches from the vendor, restricting network access to the vulnerable service, or disabling the affected functionality until a fix is available.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity remote code execution vulnerability found in the camel-infinispan component. It is caused by unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, which can lead to data breaches, system manipulation, or denial of service.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, allowing untrusted data to be deserialized.

A remote attacker with low privileges can exploit this by sending specially crafted data, which can lead to arbitrary code execution on the affected system.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

As a result, the confidentiality, integrity, and availability of the system can be severely compromised.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Integrity violations by unauthorized code execution
Availability impact due to potential system takeover or disruption

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized.

This flaw allows a remote attacker with low privileges to send specially crafted data that leads to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches, system manipulation, or denial of service.

How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Can you explain this vulnerability to me?

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks such as data breaches, system manipulation, or denial of service.

Unsafe Deserialization in camel-infinispan ProtoStream Enables RCE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart

Probability:
Percentile: