PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40473 Apache CVE debrief

CVE-2026-40473 is a remote code execution vulnerability in Apache Camel's camel-mina component. The MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. This allows an attacker to send a crafted serialized Java object over the network to the MINA consumer port, triggering arbitrary code execution in the context of the application during readObject(). The issue affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Vendor
Apache
Product
Camel
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-06-30
Advisory published
2026-04-27
Advisory updated
2026-06-30

Who should care

Apache Camel users who have camel-mina as a TCP or UDP consumer and request conversion to ObjectInput should be concerned about this vulnerability. This includes users of Apache Camel versions 3.0.0 to 4.14.6, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.0. Developers and administrators responsible for maintaining and securing Apache Camel-based applications should take immediate action to mitigate this vulnerability.

Technical summary

The MinaConverter.toObjectInput(IoBuffer) type converter in Apache Camel's camel-mina component is vulnerable to remote code execution. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, an attacker can send a crafted serialized Java object over the network to the MINA consumer port. This triggers arbitrary code execution in the context of the application during readObject(). The vulnerability is caused by the lack of ObjectInputFilter or class-loading restrictions when wrapping an IoBuffer in a java.io.ObjectInputStream.

Defensive priority

High priority should be given to upgrading Apache Camel to version 4.20.0 or applying the recommended mitigations. Immediate action is necessary to prevent potential remote code execution attacks.

Recommended defensive actions

  • Upgrade Apache Camel to version 4.20.0
  • If on 4.14.x LTS releases stream, upgrade to 4.14.6
  • If on 4.18.x releases stream, upgrade to 4.18.2
  • Implement ObjectInputFilter or class-loading restrictions for MinaConverter.toObjectInput(IoBuffer)
  • Monitor and restrict incoming network traffic to MINA consumer ports

Evidence notes

The CVE-2026-40473 vulnerability was publicly disclosed on April 27, 2026, and last modified on June 30, 2026. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. The CVSS score is 8.8 with a severity of HIGH.

Official resources

This article is AI-assisted and based on the supplied source corpus.