cbcvebase.
CVE-2026-40473
published 2026-04-27

CVE-2026-40473: The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.93%
56.0th percentile
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Affected

6 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel_mina>= 3.0.0 < 4.14.64.14.6
apache_software_foundationapache_camel_mina>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel_mina>= 4.19.0 < 4.20.04.20.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect insecure deserialization via camel-mina: monitor for ObjectInputStream instantiation in MinaConverter.toObjectInput(IoBuffer) without any ObjectInputFilter applied — indicates the vulnerable code path is being exercised
  • Alert on Camel routes that invoke getBody(ObjectInput.class) or use @Body ObjectInput on a camel-mina TCP/UDP consumer — these are the trigger conditions for the vulnerable deserialization path
  • Monitor network traffic to MINA consumer ports (TCP/UDP) for Java serialized object magic bytes (0xACED0005) — inbound payloads matching this signature targeting camel-mina listener ports are indicative of exploitation attempts
  • Flag processes running Apache Camel versions 3.0.0 through 4.14.5, 4.15.0 through 4.18.1, or 4.19.0 through 4.19.x as vulnerable to this CVE when camel-mina, camel-mina2, camel-mina2-starter, or camel-mina-sftp packages are present
  • ·The vulnerability is only exploitable when a Camel route explicitly uses camel-mina as a TCP or UDP consumer AND requests ObjectInput conversion — routes not using this conversion type are not directly exposed via this vector
  • ·Multiple affected package names exist across product lines (camel-mina, camel-mina2, camel-mina2-starter, camel-mina-sftp); detection and patching scope must cover all variants, particularly in Red Hat Fuse 7 and Red Hat build of Apache Camel for Spring Boot 4 which were still under investigation at time of disclosure
  • ·Exploitation occurs at readObject() call time — no ObjectInputFilter or class-loading restrictions are applied, meaning any gadget chain deliverable via Java serialization is potentially usable by an attacker

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.