PatchSiren cyber security CVE debrief
CVE-2026-40859 Apache CVE debrief
CVE-2026-40859 is a Deserialization of Untrusted Data vulnerability in Apache Camel. The vulnerability allows for remote code execution if a suitable gadget chain is present on the classpath. This issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.20.0. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter. This deserialization path is reached only when the producer endpoint is configured with transferException=true and throwExceptionOnFailure is left at its default value of true. An attacker who controls the backend the Camel producer talks to can return a crafted serialized Java object and achieve remote code execution on the Camel application host if a suitable gadget chain is present on the classpath. Users of Apache Camel should be aware of this vulnerability and take necessary actions to mitigate it.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.20.0 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter. This deserialization path is reached only when the producer endpoint is configured with transferException=true and throwExceptionOnFailure is left at its default value of true. An attacker who controls the backend the Camel producer talks to can return a crafted serialized Java object and achieve remote code execution on the Camel application host if a suitable gadget chain is present on the classpath.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 4.20.0, which fixes the issue.
- If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8.
- If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3.
- Do not enable transferException=true on producers that talk to untrusted or network-reachable backends.
- Ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle.
- Set an explicit -Djdk.serialFilter allow-list to constrain deserialization.
Evidence notes
The CVE record was published on 2026-07-06T09:16:35.520Z and was last modified on 2026-07-07T17:40:09.207Z. The NVD entry is currently Analyzed. The vulnerability was reported by an external researcher and is related to the deserialization of untrusted data in Apache Camel. The CVE record provides details on the affected versions and the recommended mitigations.
Official resources
-
CVE-2026-40859 CVE record
CVE.org
-
CVE-2026-40859 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:35.520Z and has not been modified since then. The NVD entry is currently Analyzed.