CVE-2026-27172
Published: 27 April 2026
Summary
CVE-2026-27172 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by requiring timely application of vendor patches to upgrade vulnerable Apache Camel versions.
Mandates input validation and filtering on data read from the Consul KV store, blocking malicious serialized Java objects before deserialization.
Enforces least privilege to restrict write access to the Consul KV store, preventing attackers from injecting malicious serialized objects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability enables remote code execution via malicious serialized objects written to the Consul KV store (PR:L, AV:N), directly facilitating exploitation of remote services (T1210) and potential privilege escalation through gadget chains (T1068).
NVD Description
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store…
more
backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.
Deeper analysisAI
CVE-2026-27172 is a deserialization vulnerability in the ConsulRegistry class (specifically its inner ConsulRegistryUtils.deserialize method) within the camel-consul component of Apache Camel. The flaw occurs because the component reads Java-serialized values from a Consul KV store and passes them directly to ObjectInputStream.readObject() without an ObjectInputFilter, enabling gadget chain exploitation. It affects Apache Camel versions from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502.
An attacker with write access to the Consul KV store backing a Camel ConsulRegistry instance can inject a malicious serialized Java object. The next time Camel performs a registry lookup, the object is deserialized, resulting in arbitrary code execution within the Camel process. This issue resembles vulnerabilities previously addressed in CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747 but was overlooked in their remediations.
The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-27172.html recommends upgrading to version 4.19.0 to resolve the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.1.
Details
- CWE(s)