Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2819 articles · 175085 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-40860EXPLOITEDPATCHED
apache · camel

Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

Description

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Affected Products

VendorProductVersions
apachecamel3.0.0, 4.15.0, 4.19.0, 4.14.8, 4.18.3, 4.21.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apachecamelcert_advisory90%
sapsap softwarecert_advisory90%

References

  • https://camel.apache.org/security/CVE-2026-40860.html(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories1h ago
[NEU] [hoch] SAP Patch Day Juli 2026
→ No new info (linked only)
Tier C
oss-security7d ago
CVE-2026-43866: Apache Camel: Camel JMS - CVE-2026-40860 fix bypass via DefaultExchangeHolder
→ No new info (linked only)
Tier B
BSI Advisories78d ago
[NEU] [hoch] Apache Camel: Mehrere Schwachstellen
→ No new info (linked only)
CVSS 3.19.8 HIGH
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
4.14.84.18.34.21.0
CWECWE-502
PublishedApr 27, 2026
Last enriched7d agov2
Trending Score74
Source articles3
Independent2
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-41293EXP
Apache Tomcat: HTTP/2 request headers not validated
Trending: 89
NONECVE-2026-43515EXP
Apache Tomcat: Security constraints not correctly applied
Trending: 79
CRITICALCVE-2026-43512
Apache Tomcat: Digest authenticator will authenticate any unknown user
Trending: 69
HIGHCVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 62
HIGHCVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 62

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 27, 2026
Discovered by ZDM
Apr 27, 2026
Actively Exploited
Apr 28, 2026
Exploit Available
Apr 28, 2026
Patch Available
Apr 28, 2026
Updated: affectedVersions, severity, exploitAvailable, activelyExploited, patchAvailable
Jul 6, 2026

Version History

v2
Last enriched 7d ago
v2Tier C7d ago

Updated affected versions to include 4.14.8, 4.18.3, and 4.21.0, changed severity to HIGH, and marked the vulnerability as actively exploited with an exploit available.

affectedVersionsseverityexploitAvailableactivelyExploitedpatchAvailable
via oss-security
v178d ago

Initial creation