CVE-2026-40473
published 2026-04-27CVE-2026-40473: The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.93%
56.0th percentile
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().
This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache_software_foundation | apache_camel_mina | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache_software_foundation | apache_camel_mina | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache_software_foundation | apache_camel_mina | >= 4.19.0 < 4.20.0 | 4.20.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect insecure deserialization via camel-mina: monitor for ObjectInputStream instantiation in MinaConverter.toObjectInput(IoBuffer) without any ObjectInputFilter applied — indicates the vulnerable code path is being exercised ↗
- →Alert on Camel routes that invoke getBody(ObjectInput.class) or use @Body ObjectInput on a camel-mina TCP/UDP consumer — these are the trigger conditions for the vulnerable deserialization path ↗
- →Monitor network traffic to MINA consumer ports (TCP/UDP) for Java serialized object magic bytes (0xACED0005) — inbound payloads matching this signature targeting camel-mina listener ports are indicative of exploitation attempts ↗
- →Flag processes running Apache Camel versions 3.0.0 through 4.14.5, 4.15.0 through 4.18.1, or 4.19.0 through 4.19.x as vulnerable to this CVE when camel-mina, camel-mina2, camel-mina2-starter, or camel-mina-sftp packages are present ↗
- ·The vulnerability is only exploitable when a Camel route explicitly uses camel-mina as a TCP or UDP consumer AND requests ObjectInput conversion — routes not using this conversion type are not directly exposed via this vector ↗
- ·Multiple affected package names exist across product lines (camel-mina, camel-mina2, camel-mina2-starter, camel-mina-sftp); detection and patching scope must cover all variants, particularly in Red Hat Fuse 7 and Red Hat build of Apache Camel for Spring Boot 4 which were still under investigation at time of disclosure ↗
- ·Exploitation occurs at readObject() call time — no ObjectInputFilter or class-loading restrictions are applied, meaning any gadget chain deliverable via Java serialization is potentially usable by an attacker ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Camel-MINA Vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27
CVE-2026-40473 [HIGH] CWE-502 Camel-MINA Vulnerable to Deserialization of Untrusted Data
Camel-MINA Vulnerable to Deserialization of Untrusted Data
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().
This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issu
Red Hat
Apache Camel: camel-mina: Apache Camel camel-mina: Arbitrary code execution via insecure deserialization
vendor_redhat·2026-04-27·CVSS 8.8
CVE-2026-40473 [HIGH] CWE-502 Apache Camel: camel-mina: Apache Camel camel-mina: Arbitrary code execution via insecure deserialization
Apache Camel: camel-mina: Apache Camel camel-mina: Arbitrary code execution via insecure deserialization
A flaw was found in the camel-mina component of Apache Camel. This vulnerability allows a remote attacker to achieve arbitrary code execution by sending a specially crafted serialized Java object over the network to the MINA consumer port. The `MinaConverter.toObjectInput` type converter, used when a Camel route processes network input, fails to apply necessary security filters or class-loading restrictions during object deserialization. This oversight enables an attacker to execute malicious code within the application's context.
Package: camel-mina-sftp (Red Hat build of Apache Camel for Spring Boot 4) - Under investigation
Package: camel-mina (Red Hat Fuse 7) - Under investigation
No detection rules found.
No public exploits indexed.
2026-04-27
Published