PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40860 Apache CVE debrief

CVE-2026-40860 is a remote code execution vulnerability in Apache Camel, a popular open-source integration framework. The vulnerability exists in the JmsBinding class, which deserializes the payload of incoming JMS ObjectMessage values without applying any ObjectInputFilter, class allowlist, or class denylist. This allows an attacker to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application, potentially leading to remote code execution when a deserialization gadget chain is present on the classpath. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0 or apply the necessary patches to fix the issue.

Vendor
Apache
Product
Camel
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-06-30
Advisory published
2026-04-27
Advisory updated
2026-06-30

Who should care

Apache Camel users and administrators should be aware of this vulnerability and take immediate action to upgrade or patch their installations. This vulnerability is particularly concerning for applications that use Camel as a JMS consumer and have the mapJmsMessage option enabled, which is the default configuration. Additionally, organizations that use Camel in conjunction with other JMS-family components, such as camel-activemq or camel-activemq6, should also take precautions.

Technical summary

The JmsBinding class in Apache Camel deserializes JMS ObjectMessage payloads without proper filtering, allowing for remote code execution. The vulnerability is reachable when the mapJmsMessage option is enabled, which is the default configuration. An attacker can exploit this by publishing a crafted ObjectMessage to a queue or topic consumed by a Camel application. The vulnerability affects multiple versions of Apache Camel and can be mitigated by upgrading to version 4.20.0 or applying the necessary patches.

Defensive priority

High

Recommended defensive actions

  • Upgrade Apache Camel to version 4.20.0 or later
  • Apply patches for affected versions (4.14.7, 4.18.2)
  • Disable the mapJmsMessage option if not required
  • Implement additional security measures, such as ObjectInputFilter or class allowlists
  • Monitor and audit JMS message consumption and processing

Evidence notes

The CVE-2026-40860 vulnerability was publicly disclosed on April 27, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Apache Camel, and users are recommended to upgrade or apply patches to fix the issue. The NVD and CVE.org provide additional information and resources for affected users.

Official resources

This article was generated with AI assistance based on the supplied source corpus.