CVE-2026-40473
Published: 27 April 2026
Summary
CVE-2026-40473 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the deserialization vulnerability in camel-mina by requiring timely patching to fixed Apache Camel versions that apply ObjectInputFilter and class-loading restrictions.
Mandates validation of network inputs like IoBuffers prior to conversion to ObjectInputStream, preventing exploitation via crafted serialized objects lacking proper filtering.
Enforces network boundary protections to limit remote access to vulnerable TCP/UDP MINA consumer ports, reducing the attack surface for network-based deserialization attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-40473 is a network-accessible deserialization vulnerability in a public-facing Apache Camel Mina TCP/UDP consumer, enabling remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class)…
more
or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Deeper analysisAI
CVE-2026-40473 is a deserialization vulnerability (CWE-502) in the camel-mina component of Apache Camel. The MinaConverter.toObjectInput(IoBuffer) method wraps an IoBuffer in a java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. This affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0, specifically when a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, such as via getBody(ObjectInput.class) or @Body ObjectInput.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) by sending a crafted serialized Java object to the MINA consumer port. The vulnerability has low complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U), earning a CVSS v3.1 base score of 8.8. Successful exploitation triggers arbitrary code execution in the context of the application during the readObject() process.
The Apache Camel security advisory recommends upgrading to version 4.20.0 to fix the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.2. Additional details are available in the official advisory at https://camel.apache.org/security/CVE-2026-40473.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/04/26/8.
Details
- CWE(s)