PatchSiren cyber security CVE debrief
CVE-2026-40860 Apache CVE debrief
CVE-2026-40860 is a remote code execution vulnerability in Apache Camel, a popular open-source integration framework. The vulnerability exists in the JmsBinding class, which deserializes the payload of incoming JMS ObjectMessage values without applying any ObjectInputFilter, class allowlist, or class denylist. This allows an attacker to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application, potentially leading to remote code execution when a deserialization gadget chain is present on the classpath. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0 or apply the necessary patches to fix the issue.
- Vendor
- Apache
- Product
- Camel
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-27
- Advisory updated
- 2026-06-30
Who should care
Apache Camel users and administrators should be aware of this vulnerability and take immediate action to upgrade or patch their installations. This vulnerability is particularly concerning for applications that use Camel as a JMS consumer and have the mapJmsMessage option enabled, which is the default configuration. Additionally, organizations that use Camel in conjunction with other JMS-family components, such as camel-activemq or camel-activemq6, should also take precautions.
Technical summary
The JmsBinding class in Apache Camel deserializes JMS ObjectMessage payloads without proper filtering, allowing for remote code execution. The vulnerability is reachable when the mapJmsMessage option is enabled, which is the default configuration. An attacker can exploit this by publishing a crafted ObjectMessage to a queue or topic consumed by a Camel application. The vulnerability affects multiple versions of Apache Camel and can be mitigated by upgrading to version 4.20.0 or applying the necessary patches.
Defensive priority
High
Recommended defensive actions
- Upgrade Apache Camel to version 4.20.0 or later
- Apply patches for affected versions (4.14.7, 4.18.2)
- Disable the mapJmsMessage option if not required
- Implement additional security measures, such as ObjectInputFilter or class allowlists
- Monitor and audit JMS message consumption and processing
Evidence notes
The CVE-2026-40860 vulnerability was publicly disclosed on April 27, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Apache Camel, and users are recommended to upgrade or apply patches to fix the issue. The NVD and CVE.org provide additional information and resources for affected users.
Official resources
-
CVE-2026-40860 CVE record
CVE.org
-
CVE-2026-40860 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.