External risk intelligence

Attackers can take control of Apache Camel systems to steal data or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-40860

Because of a security flaw in Apache Camel, an internal attacker can run unauthorized code on application servers. This issue could lead to a full system compromise, granting them control over critical business infrastructure.

2Halo Surface Signal

Deserialization

Apache Camel

3.0.0 to before 4.14.74.15.0 to before 4.18.24.19.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-40860

The vulnerability requires access to a JMS messaging broker to deliver a crafted message. Messaging infrastructure is typically isolated within internal networks or protected by robust access controls, making direct public internet exposure uncommon in standard enterprise deployment patterns.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Apache Camel allows for remote code execution if an attacker can send a crafted message to a JMS queue or topic that a Camel application is consuming. Because the affected component deserializes message content without proper validation, it can be tricked into running malicious code, especially if specific libraries are present. This is a serious concern for applications using Camel for message processing.

  • Critical impact: Allows full system compromise.
  • Broad reach: Affects multiple Apache Camel versions and related components.
  • Default configuration risk: Enabled by default for JMS message handling.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted JMS ObjectMessage to a queue or topic that a vulnerable Apache Camel application is consuming. If the application is configured to process these messages using the default `mapJmsMessage` option, it will deserialize the payload without proper checks, allowing the attacker to execute arbitrary code on the Camel application's server by leveraging deserialization gadgets.

  • Unauthenticated network access required.
  • Target: JMS message queue/topic.
  • Camel app must consume messages.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for remote code execution through deserialization of untrusted JMS messages when mapJmsMessage is enabled. While the attack requires an attacker to send a crafted message to a queue or topic consumed by a Camel application, it presents a significant risk if successful. The default configuration for mapJmsMessage increases the likelihood of exploitation in vulnerable environments.

  • Exploitable with crafted messages.
  • No public exploits observed.
  • Affects multiple Camel components.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Apache Camel services running versions from 3.0.0 to 4.14.6, 4.15.0 to 4.18.1, and 4.19.0. If patching is not immediately feasible, implement network segmentation or strict access controls to prevent unauthenticated systems from publishing messages to JMS queues or topics consumed by Camel applications. Monitor for deserialization exploitation patterns in JMS message processing.

  • Upgrade to Apache Camel 4.20.0 or 4.14.7/4.18.2.
  • Isolate JMS brokers from untrusted networks.
  • Log and alert on deserialization errors.

Frequently asked questions

What is Apache Camel and what is it used for?

Apache Camel is a versatile integration framework used to build integration solutions. It allows developers to define routes and manage message flows between different systems, acting as a bridge for various communication protocols and data formats. It's commonly employed in enterprise environments for tasks like data transformation, routing, and orchestration of services.

How does CVE-2026-40860 allow remote code execution?

CVE-2026-40860 is a deserialization vulnerability. In affected Apache Camel versions, the `JmsBinding` class deserializes JMS ObjectMessage payloads without proper validation. If an attacker can send a crafted message, and specific libraries are present, the system may execute arbitrary code as part of the deserialization process.

What are the conditions needed to exploit CVE-2026-40860?

To exploit this vulnerability, an attacker must be able to publish a specially crafted JMS ObjectMessage to a queue or topic that a Camel application is configured to consume. The Camel application must also have the `mapJmsMessage` option enabled, which is the default setting for JMS consumers.

Who should be concerned about this external threat?

Organizations using Apache Camel, especially those where Camel applications consume messages from JMS queues or topics, should be concerned. The Halo Surface Signal indicates this vulnerability is classified as external, meaning it could potentially be exploited over a network by an unauthenticated attacker if the affected JMS infrastructure is exposed.

What's the first step to address this vulnerability in Apache Camel?

The primary recommendation is to upgrade your Apache Camel installation. Specifically, upgrade to version 4.20.0, or to version 4.14.7 for LTS 4.14.x releases, or 4.18.2 for LTS 4.18.x releases. This addresses the underlying deserialization flaw.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified