CVE-2026-42527
Received Received - Intake

Deserialization of Untrusted Data in Apache Camel

Vulnerability report for CVE-2026-42527, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository). This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel From 4.14.0 (inc) to 4.14.8 (exc)
apache camel From 4.15.0 (inc) to 4.18.3 (exc)
apache camel From 4.19.0 (inc) to 4.21.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42527 is a medium-severity vulnerability in Apache Camel involving deserialization of untrusted data.

The default ObjectInputFilter pattern used by several Apache Camel components allows certain Java classes like java.net.URL and java.net.InetAddress, which can perform network input/output operations during deserialization.

When an attacker sends a specially crafted Java-serialized payload to an affected Camel consumer, deserialization of collections containing java.net.URL keys causes the Java Virtual Machine to issue DNS queries to attacker-controlled hosts as a side effect.

This happens because the filter allows the HashMap class (or similar collections) which calls hashCode on its elements, triggering network activity during deserialization.

The vulnerability is especially significant in the camel-jms family of components due to default settings that automatically deserialize ObjectMessages.

Impact Analysis

This vulnerability can lead to information disclosure through an out-of-band side channel.

Specifically, an attacker can observe DNS queries triggered by the deserialization process on a DNS server they control, potentially leaking sensitive information about the internal system or environment.

The impact is highest in environments using the camel-jms components with default configurations, where untrusted serialized data can be deserialized automatically.

Attackers could exploit this to gain insights into internal network details or to confirm the presence of vulnerable systems.

Detection Guidance

This vulnerability can be detected by monitoring for unusual DNS queries originating from the JVM during deserialization processes, especially DNS queries to attacker-controlled hosts triggered by deserialization of Java-serialized payloads containing java.net.URL keys.

Network monitoring tools or DNS logs can be used to detect these suspicious DNS queries as an indicator of exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include capturing DNS traffic with tools like tcpdump or Wireshark, for example:

  • tcpdump -i <interface> port 53
  • or using system logs to detect JVM deserialization activity if logging is enabled.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version: 4.14.8 for the 4.14.x line, 4.18.3 for the 4.18.x line, or 4.21.0 for the 4.21.x line.

For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list to restrict deserialization, such as:

  • Apache ActiveMQ Artemis 'deserializationAllowList' or 'deserializationDenyList'
  • Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES'

Additionally, override the default deserialization filter by setting the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny pattern like '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for aggregation-repository components).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart