PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40859 Apache CVE debrief

CVE-2026-40859 is a Deserialization of Untrusted Data vulnerability in Apache Camel. The vulnerability allows for remote code execution if a suitable gadget chain is present on the classpath. This issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.20.0. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter. This deserialization path is reached only when the producer endpoint is configured with transferException=true and throwExceptionOnFailure is left at its default value of true. An attacker who controls the backend the Camel producer talks to can return a crafted serialized Java object and achieve remote code execution on the Camel application host if a suitable gadget chain is present on the classpath. Users of Apache Camel should be aware of this vulnerability and take necessary actions to mitigate it.

Vendor
Apache
Product
Camel
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.20.0 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter. This deserialization path is reached only when the producer endpoint is configured with transferException=true and throwExceptionOnFailure is left at its default value of true. An attacker who controls the backend the Camel producer talks to can return a crafted serialized Java object and achieve remote code execution on the Camel application host if a suitable gadget chain is present on the classpath.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 4.20.0, which fixes the issue.
  • If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8.
  • If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3.
  • Do not enable transferException=true on producers that talk to untrusted or network-reachable backends.
  • Ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle.
  • Set an explicit -Djdk.serialFilter allow-list to constrain deserialization.

Evidence notes

The CVE record was published on 2026-07-06T09:16:35.520Z and was last modified on 2026-07-07T17:40:09.207Z. The NVD entry is currently Analyzed. The vulnerability was reported by an external researcher and is related to the deserialization of untrusted data in Apache Camel. The CVE record provides details on the affected versions and the recommended mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:35.520Z and has not been modified since then. The NVD entry is currently Analyzed.