PatchSiren cyber security CVE debrief
CVE-2026-43865 Apache CVE debrief
Apache Camel Hazelcast component has a Deserialization of Untrusted Data vulnerability. The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. This allows an attacker who can join or reach the Hazelcast cluster to publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0 or apply a deserialization filter on the Hazelcast instance.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Apache Camel, particularly those using the camel-hazelcast component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 4.21.0 or applying a deserialization filter on the Hazelcast instance. Operators, platform administrators, vulnerability management teams, and security teams should review their deployments and plan for necessary actions.
Technical summary
The vulnerability exists in the Apache Camel Hazelcast component, specifically in the camel-hazelcast component which creates and manages Hazelcast instances with a default configuration that lacks a Java deserialization filter. This omission allows for the deserialization of untrusted data, potentially leading to remote code execution. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users should verify their deployments and plan for upgrades or mitigations accordingly, focusing on applying a deserialization filter on the Hazelcast instance or upgrading to version 4.21.0. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer is affected whenever the managed instance is created from Camel's default configuration.
Defensive priority
High
Recommended defensive actions
- Upgrade to Apache Camel version 4.21.0
- Apply a deserialization filter on the Hazelcast instance
- Enable Hazelcast cluster authentication and TLS
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-06T09:16:35.787Z and was last modified on 2026-07-07T23:38:55.330Z. The NVD entry is currently Analyzed. This vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users should verify their deployments and plan for upgrades or mitigations accordingly.
Official resources
-
CVE-2026-43865 CVE record
CVE.org
-
CVE-2026-43865 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:35.787Z and has not been modified since then. The NVD entry is currently Analyzed.