PatchSiren cyber security CVE debrief
CVE-2026-27172 Apache CVE debrief
CVE-2026-27172 is a deserialization vulnerability in the ConsulRegistry component of Apache Camel. The issue arises from the ConsulRegistry and its inner ConsulRegistryUtils.deserialize method reading Java-serialized values from the Consul KV store and passing them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. This allows an attacker who can write to the Consul KV store to inject a malicious serialized Java object that can be deserialized, leading to arbitrary code execution in the Camel process when a lookup is performed against that registry. This vulnerability mirrors issues addressed in CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747 but was overlooked during the original remediation of those CVEs. The affected versions of Apache Camel are from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0 to fix the issue. For users on the 4.14.x LTS releases stream, upgrading to 4.14.6 is suggested, and for those on the 4.18.x releases stream, upgrading to 4.18.1 is recommended.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-27
- Advisory updated
- 2026-06-30
Who should care
Users of Apache Camel, especially those using versions between 3.0.0 and 4.14.6 or between 4.15.0 and 4.18.1, should be aware of this vulnerability. This includes developers and administrators who manage applications built with Apache Camel, as they may be exposed to potential code execution attacks through the ConsulRegistry component.
Technical summary
The ConsulRegistry in the camel-consul component of Apache Camel deserializes Java objects from the Consul KV store without proper filtering. This allows for arbitrary code execution when a malicious object is deserialized during a registry lookup. The vulnerability exists due to the use of ObjectInputStream.readObject() without an ObjectInputFilter. Affected versions are Apache Camel 3.0.0 to 4.14.6 and 4.15.0 to 4.18.1. The fix involves upgrading to Apache Camel version 4.19.0 or applying specific patches based on the release stream.
Defensive priority
High priority should be given to upgrading Apache Camel to version 4.19.0 or applying the recommended patches. Immediate action is advised for environments using affected versions of Apache Camel, especially if exposure to the Consul KV store is a concern.
Recommended defensive actions
- Upgrade Apache Camel to version 4.19.0.
- For users on the 4.14.x LTS releases stream, upgrade to 4.14.6.
- For users on the 4.18.x releases stream, upgrade to 4.18.1.
- Review and restrict access to the Consul KV store to prevent unauthorized modifications.
- Implement additional monitoring for suspicious activity related to Apache Camel and ConsulRegistry interactions.
Evidence notes
The CVE-2026-27172 details were obtained from the official CVE record and the NVD database. The vulnerability was publicly disclosed on April 27, 2026, and last modified on June 30, 2026. Additional information was gathered from vendor advisories and related bug reports.
Official resources
-
CVE-2026-27172 CVE record
CVE.org
-
CVE-2026-27172 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.