PatchSiren cyber security CVE debrief
CVE-2026-40473 Apache CVE debrief
CVE-2026-40473 is a remote code execution vulnerability in Apache Camel's camel-mina component. The MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. This allows an attacker to send a crafted serialized Java object over the network to the MINA consumer port, triggering arbitrary code execution in the context of the application during readObject(). The issue affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-27
- Advisory updated
- 2026-06-30
Who should care
Apache Camel users who have camel-mina as a TCP or UDP consumer and request conversion to ObjectInput should be concerned about this vulnerability. This includes users of Apache Camel versions 3.0.0 to 4.14.6, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.0. Developers and administrators responsible for maintaining and securing Apache Camel-based applications should take immediate action to mitigate this vulnerability.
Technical summary
The MinaConverter.toObjectInput(IoBuffer) type converter in Apache Camel's camel-mina component is vulnerable to remote code execution. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, an attacker can send a crafted serialized Java object over the network to the MINA consumer port. This triggers arbitrary code execution in the context of the application during readObject(). The vulnerability is caused by the lack of ObjectInputFilter or class-loading restrictions when wrapping an IoBuffer in a java.io.ObjectInputStream.
Defensive priority
High priority should be given to upgrading Apache Camel to version 4.20.0 or applying the recommended mitigations. Immediate action is necessary to prevent potential remote code execution attacks.
Recommended defensive actions
- Upgrade Apache Camel to version 4.20.0
- If on 4.14.x LTS releases stream, upgrade to 4.14.6
- If on 4.18.x releases stream, upgrade to 4.18.2
- Implement ObjectInputFilter or class-loading restrictions for MinaConverter.toObjectInput(IoBuffer)
- Monitor and restrict incoming network traffic to MINA consumer ports
Evidence notes
The CVE-2026-40473 vulnerability was publicly disclosed on April 27, 2026, and last modified on June 30, 2026. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. The CVSS score is 8.8 with a severity of HIGH.
Official resources
-
CVE-2026-40473 CVE record
CVE.org
-
CVE-2026-40473 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.