CVE-2026-6857

Awaiting Analysis Awaiting Analysis - Queue

Unsafe Deserialization in camel-infinispan ProtoStream Enables RCE

Publication date: 2026-04-22

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-22

Last Modified

2026-06-02

Generated

2026-06-16

AI Q&A

2026-04-22

EPSS Evaluated

2026-06-15

NVD

CVE-2026-6857

EUVD

EUVD-2026-24738

Affected Vendors & Products

Vendor	Product	Version / Range
apache	camel-infinispan	4.10.0
infinispan	infinispan	15.1.4
apache	camel-infinispan	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-502	The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

Executive Summary

CVE-2026-6857 is a high-severity remote code execution vulnerability found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize() which uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter. This lack of filtering allows an attacker to send specially crafted data that gets deserialized unsafely, enabling remote code execution.

Impact Analysis

An attacker with low privileges can exploit this vulnerability remotely by sending specially crafted data to the affected system. Successful exploitation leads to arbitrary code execution, allowing the attacker to gain full control over the system. This compromises the system's confidentiality, integrity, and availability.

Compliance Impact

This vulnerability allows a remote attacker to execute arbitrary code, leading to full control over the affected system. Such a compromise impacts the confidentiality, integrity, and availability of data and systems.

Because of this, organizations using the affected software may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Exploitation of this vulnerability could result in unauthorized access to personal or protected health information, potentially leading to data breaches and regulatory violations.

Executive Summary

This vulnerability is a high-severity remote code execution flaw found in the camel-infinispan component. It arises from unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

This vulnerability allows the attacker to gain full control over the system, impacting its confidentiality, integrity, and availability.

Impact Analysis

Exploitation of this vulnerability can lead to arbitrary code execution by a remote attacker with low privileges.

This means the attacker could gain full control over the affected system.

Confidentiality impact: The attacker could access sensitive data.
Integrity impact: The attacker could modify or corrupt data.
Availability impact: The attacker could disrupt system operations or cause denial of service.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely on the affected system.

As a result, the attacker can gain full control over the system, which compromises its confidentiality, integrity, and availability.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, as the attacker can manipulate data, disrupt services, or access sensitive information.

Executive Summary

This lack of filtering allows an attacker with low privileges to send specially crafted data that gets deserialized unsafely, enabling them to execute arbitrary code remotely on the affected system.

This vulnerability has been verified on Apache Camel version 4.10.0 combined with Infinispan version 15.1.4 and follows a similar unsafe deserialization pattern seen in previous CVEs.

Impact Analysis

Exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected system, potentially gaining full control over it.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations or cause denial of service.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This allows a remote attacker with low privileges to send specially crafted data that leads to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Integrity breaches by unauthorized modification of data or system state
Availability impact through potential system disruption or denial of service

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks such as data breaches, system manipulation, or denial of service.

Executive Summary

This vulnerability is a high-severity remote code execution flaw found in the camel-infinispan component. It is caused by unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, gaining full control over the affected system.

This compromises the system's confidentiality, integrity, and availability, potentially leading to data breaches, system manipulation, or denial of service.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Integrity violations through unauthorized code execution
Availability impact by potentially disrupting system operations

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, effectively gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches, system manipulation, or denial of service.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Mitigation Strategies

The vulnerability is caused by unsafe deserialization in the ProtoStream remote aggregation repository, specifically in the method DefaultExchangeHolderUtils.deserialize() which uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter.

To mitigate this vulnerability, immediate steps would typically include applying patches or updates provided by the vendor that address this unsafe deserialization issue.

Since the vulnerability has been verified on Apache Camel version 4.10.0 combined with Infinispan version 15.1.4, upgrading to a fixed version or applying security patches for these components is recommended.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality by accessing sensitive data.
Integrity violations by modifying or corrupting data.
Availability issues by disrupting or disabling system operations.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely on the affected system.

As a result, the attacker can gain full control over the system, compromising its confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository of camel-infinispan, specifically in the method DefaultExchangeHolderUtils.deserialize() using ClassLoadingAwareObjectInputStream.readObject() without an ObjectInputFilter.

Detection would typically involve monitoring for suspicious or unexpected deserialization activity or anomalous network traffic targeting the ProtoStream remote aggregation repository interfaces.

However, no specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The provided resources do not specify immediate mitigation steps for this vulnerability.

General best practices for unsafe deserialization vulnerabilities include applying patches or updates from the vendor, restricting network access to vulnerable services, and implementing input validation or deserialization filters if possible.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: attacker can access sensitive data.
Integrity impact: attacker can modify or corrupt data.
Availability impact: attacker can disrupt or disable system services.

Executive Summary

The issue occurs because the deserialization process uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

A remote attacker with low privileges can exploit this by sending specially crafted data, which leads to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, effectively gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt or disable system operations.

Detection Guidance

This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository of camel-infinispan, specifically in the method DefaultExchangeHolderUtils.deserialize(). Detection would require monitoring for suspicious deserialization activity or attempts to send specially crafted data to this component.

No specific detection commands or network signatures are provided in the available resources.

Mitigation Strategies

The resource does not provide explicit mitigation steps or patches.

However, since the vulnerability is caused by unsafe deserialization without an ObjectInputFilter, immediate mitigation could involve applying security updates or patches from the vendor, restricting network access to the vulnerable service, or disabling the affected functionality until a fix is available.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, allowing untrusted data to be deserialized.

A remote attacker with low privileges can exploit this by sending specially crafted data, which can lead to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Executive Summary

CVE-2026-6857 is a high-severity remote code execution vulnerability found in the camel-infinispan component. It is caused by unsafe deserialization in the ProtoStream remote aggregation repository. Specifically, the method DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without applying an ObjectInputFilter, which means untrusted data can be deserialized without restriction.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, which can lead to data breaches, system manipulation, or denial of service.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw enables a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, which can lead to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Compromise of system confidentiality
Compromise of system integrity
Compromise of system availability

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

Confidentiality impact: The attacker can access sensitive data.
Integrity impact: The attacker can modify or corrupt data.
Availability impact: The attacker can disrupt system operations.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

A remote attacker with low privileges can exploit this by sending specially crafted data, leading to arbitrary code execution on the affected system.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to full control over the affected system.

Compromise of system confidentiality
Integrity violations by unauthorized code execution
Availability impact due to potential system takeover or disruption

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

As a result, the confidentiality, integrity, and availability of the system can be severely compromised.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This flaw allows a remote attacker with low privileges to send specially crafted data that leads to arbitrary code execution on the affected system.

Executive Summary

CVE-2026-6857 is a high-severity vulnerability in the camel-infinispan component caused by unsafe deserialization in the ProtoStream remote aggregation repository.

This allows a remote attacker with low privileges to send specially crafted data that can lead to arbitrary code execution on the affected system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, potentially gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, leading to severe security risks such as data breaches, system manipulation, or denial of service.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely, gaining full control over the affected system.

This compromises the confidentiality, integrity, and availability of the system, potentially leading to data breaches, system manipulation, or denial of service.

Hi! I’m here to help you understand CVE-2026-6857. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-6857

Unsafe Deserialization in camel-infinispan ProtoStream Enables RCE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart