CVE-2026-25747
published 2026-02-23CVE-2026-25747: Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.90%
55.2th percentile
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 3.0.0 < 4.10.9 | 4.10.9 |
| apache | camel | >= 4.0.0 < 4.14.7 | 4.14.7 |
| apache | camel | >= 4.11.0 < 4.14.5 | 4.14.5 |
| apache | camel | >= 4.15.0 < 4.18.1 | 4.18.1 |
| apache | camel | >= 4.15.0 < 4.18.0 | 4.18.0 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache_software_foundation | apache_camel_leveldb | >= 3.0.0 < 4.10.9 | 4.10.9 |
| apache_software_foundation | apache_camel_leveldb | >= 4.14.0 < 4.14.5 | 4.14.5 |
| apache_software_foundation | apache_camel_leveldb | >= 4.15.0 < 4.18.0 | 4.18.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable class: DefaultLevelDBSerializer in camel-leveldb deserializes data via java.io.ObjectInputStream without ObjectInputFilter — monitor for unexpected deserialization gadget chain execution originating from LevelDB aggregation repository operations ↗
- →Attack vector requires write access to LevelDB database files on disk — monitor for unexpected file writes to LevelDB data directories used by Camel applications ↗
- →Trigger point is during aggregation repository operations (get/recover) — anomalous process spawning or network callbacks from a Camel process during aggregation operations should be investigated as potential deserialization exploitation ↗
- →Affected Maven artifact is org.apache.camel:camel-leveldb — scan deployed JARs/WARs for this artifact in versions from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0 ↗
- →Same deserialization vulnerability class as CVE-2024-22369 and CVE-2024-23114 — existing detection rules for those CVEs (e.g., Java deserialization gadget chains in Camel components) are directly applicable here ↗
- ·No ObjectInputFilter or class-loading restriction is applied — the vulnerable code path uses raw java.io.ObjectInputStream.readObject(), meaning any serialized Java object written to the LevelDB store will be deserialized without validation ↗
- ·Red Hat has marked camel-leveldb in Red Hat build of Apache Camel for Spring Boot 4 and Red Hat Fuse 7 as 'Will not fix' — deployments on these platforms remain permanently vulnerable unless users migrate ↗
- ·Affected version ranges differ between sources: NVD/Wiz cite 4.10.0–4.10.8, 4.14.0–4.14.5, 4.15.0–4.18.0; Apache security page cites from 3.0.0 before 4.10.9, 4.11.0 before 4.14.5, 4.15.0 before 4.18.0 — use the broader range (from 3.0.0) for conservative detection coverage ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.8HIGH
vendor_apache8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
org.apache.camel/camel-leveldb: Apache Camel LevelDB: Arbitrary code execution via deserialization of untrusted data
vendor_redhat·2026-02-23·CVSS 8.8
CVE-2026-25747 [HIGH] CWE-502 org.apache.camel/camel-leveldb: Apache Camel LevelDB: Arbitrary code execution via deserialization of untrusted data
org.apache.camel/camel-leveldb: Apache Camel LevelDB: Arbitrary code execution via deserialization of untrusted data
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Apache
Apache camel: CVE-2026-25747
vendor_apache·CVSS 8.8
CVE-2026-25747 [HIGH] Apache camel: CVE-2026-25747
Apache camel: CVE-2026-25747
From 3.0.0 before 4.10.9, from 4.11.0 before 4.14.5, from 4.15.0 before 4.18.0. 4.10.9, 4.14.5 and 4.18.0 HIGH Apache Camel: Camel-LevelDB: Unsafe Deserialization from LevelDBAggregationRepository
Severity: high
GHSA
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27·CVSS 7.8
CVE-2026-40858 [HIGH] CWE-502 Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases
GHSA
Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27·CVSS 7.8
CVE-2026-27172 [HIGH] CWE-502 Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-257
OSV
Apache Camel Deserializes Untrusted Data in its LevelDB Component
osv·2026-02-23
CVE-2026-25747 [HIGH] Apache Camel Deserializes Untrusted Data in its LevelDB Component
Apache Camel Deserializes Untrusted Data in its LevelDB Component
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18
GHSA
Apache Camel Deserializes Untrusted Data in its LevelDB Component
ghsa·2026-02-23
CVE-2026-25747 [HIGH] CWE-502 Apache Camel Deserializes Untrusted Data in its LevelDB Component
Apache Camel Deserializes Untrusted Data in its LevelDB Component
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
bugzilla·2026-04-27·CVSS 7.8
CVE-2026-40858 [HIGH] CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0,
Bugzilla
CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
bugzilla·2026-04-27·CVSS 7.8
CVE-2026-27172 [HIGH] CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
CVE-2026-27172 org.apache.camel/camel-consul: Apache Camel camel-consul: Arbitrary code execution via deserialization of untrusted data
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel com
Bugzilla
CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
bugzilla·2026-04-21·CVSS 7.8
CVE-2026-6857 [HIGH] CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
Unsafe deserialization in camel-infinispan ProtoStream remote aggregation repository. DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without ObjectInputFilter. Same pattern as CVE-2024-22369, CVE-2024-23114, CVE-2026-25747.
Verified on Camel 4.10.0 + Infinispan 15.1.4. Reported to [email protected] and MITRE CVE Request #2024308.
Wiz
CVE-2026-25747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25747 [HIGH] CVE-2026-25747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25747 :
Java vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0
https://camel.apache.org/security/CVE-2026-25747.htmlhttps://github.com/oscerd/CVE-2026-25747http://www.openwall.com/lists/oss-security/2026/02/18/6https://access.redhat.com/security/cve/CVE-2026-25747https://bugzilla.redhat.com/show_bug.cgi?id=2441910https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25747.json
2026-02-23
Published