CVE-2026-25747
Published: 23 February 2026
Summary
CVE-2026-25747 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific deserialization flaw by requiring timely identification, reporting, and patching to fixed Apache Camel versions as recommended in the advisory.
Mandates validation of data read from the LevelDB repository prior to deserialization using filters or restrictions to block malicious Java objects.
Limits privileges to prevent low-privileged attackers from gaining write access to LevelDB database files needed to inject crafted serialized objects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization of untrusted data in a network-accessible Apache Camel component directly enables remote arbitrary code execution with low privileges and no user interaction, mapping to exploitation of public-facing applications.
NVD Description
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database…
more
files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5
Deeper analysisAI
CVE-2026-25747 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Apache Camel LevelDB component, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The affected DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without any ObjectInputFilter or class-loading restrictions. This issue impacts Apache Camel versions from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, and from 4.15.0 before 4.18.0.
An attacker with write access to the LevelDB database files used by a Camel application can exploit this vulnerability by injecting a crafted serialized Java object. During normal aggregation repository operations, the application deserializes the malicious object, resulting in arbitrary code execution within the application's context. Exploitation requires low privileges (PR:L) and network access but has low complexity and no user interaction.
The Apache Camel security advisory recommends upgrading to version 4.18.0 to remediate the issue, with specific LTS upgrades to 4.10.9 for the 4.10.x series and 4.14.5 for the 4.14.x series. Additional details are available in the official advisory at https://camel.apache.org/security/CVE-2026-25747.html, a GitHub repository at https://github.com/oscerd/CVE-2026-25747, and an oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/02/18/6.
Details
- CWE(s)