Apache Camel Security Advisory - CVE-2026-40473

Apache Camel security advisory: CVE-2026-40473

Severity

Medium

Summary

Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP

Versions affected

From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.

Versions fixed

Description

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23319 refers to the various commits that resolved the issue, and have more details. This follows the same hardening pattern applied in CAMEL-23297 (camel-netty), CAMEL-23321 (camel-jms), and CAMEL-23322 (camel-infinispan), and matches the class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

Mitigation

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Credit

This issue was discovered by Venkatraman Kumar from Securin

References

PGP signed advisory data: CVE-2026-40473.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-40473