CVE-2026-40860

Apache · Camel

Apache Camel’s JMS components are vulnerable to remote code execution due to insecure deserialization of ObjectMessage payloads when mapJmsMessage is enabled.

Executive summary

An insecure deserialization vulnerability in Apache Camel JMS components allows attackers to achieve remote code execution by publishing crafted payloads to a message queue.

Vulnerability

The application deserializes JMS ObjectMessage payloads without adequate filtering or allowlisting, allowing an attacker to trigger a deserialization gadget chain on the classpath.

Business impact

This critical vulnerability (CVSS 9.8) enables remote code execution, which can be leveraged to gain full control over the application server. Any organization using Apache Camel as a JMS consumer is at significant risk of total system compromise if an attacker can reach the message queue.

Remediation

Immediate Action: Upgrade to version 4.20.0, 4.14.7, or 4.18.2, depending on the specific release stream in use.

Proactive Monitoring: Monitor JMS traffic for suspicious or malformed ObjectMessage payloads and review application logs for unexpected deserialization errors.

Compensating Controls: Implement strict network-level access controls for the message broker to ensure only trusted sources can publish messages to the consumed queues.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The reliance on default settings like mapJmsMessage significantly expands the attack surface for this vulnerability. Organizations must prioritize upgrading their Apache Camel dependencies to versions that enforce secure deserialization practices to prevent unauthorized code execution.