cbcvebase.
CVE-2026-40860
published 2026-04-27

CVE-2026-40860: JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.88%
54.6th percentile
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Affected

6 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel>= 3.0.0 < 4.14.74.14.7
apachecamel>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel>= 3.0.0 < 4.14.74.14.7
apache_software_foundationapache_camel>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel>= 4.19.0 < 4.20.04.20.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect deserialization of JMS ObjectMessage in Camel applications: monitor for calls to javax.jms.ObjectMessage.getObject() originating from JmsBinding.extractBodyFromJms() without an ObjectInputFilter applied
  • Flag exploitation attempts when mapJmsMessage option is enabled (default) and Camel is acting as a JMS consumer receiving ObjectMessage payloads — this is the default code path and requires no special configuration by the attacker
  • Broaden detection scope to camel-sjms2, camel-amqp, camel-activemq, and camel-activemq6 components — all transitively reach the vulnerable JmsBinding deserialization path
  • Alert on unexpected Java deserialization activity (e.g. ObjectInputStream usage, gadget chain class loading) in processes hosting Apache Camel JMS consumers, particularly when a deserialization gadget chain library (e.g. commons-collections, spring-core) is present on the classpath
  • ·The vulnerable code path is active by default — no non-default configuration is required for exploitation. Any Camel application acting as a JMS consumer with mapJmsMessage enabled (the default) is exposed.
  • ·Affected Apache Camel version ranges: 3.0.0 before 4.14.7, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0. Verify deployed Camel version to scope detection/response.
  • ·Red Hat package scope varies: camel-amqp in Red Hat Fuse 7 and JBoss EAP 8/Expansion Pack is NOT affected, but camel-jms in those same products IS affected. Validate per-package applicability before applying detections.
  • ·Exploitation requires a deserialization gadget chain to be present on the classpath. Environments without known gadget libraries (e.g. commons-collections, spring-core) have reduced but not eliminated risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.