CVE-2026-40860

CriticalRCE

Published: 27 April 2026

Published

27 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0066 71.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40860 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the deserialization vulnerability by requiring timely patching and upgrading of affected Apache Camel versions as recommended in the advisory.

SI-10 Information Input Validation good match

prevent

Prevents remote code execution by enforcing validation of untrusted JMS ObjectMessage inputs using ObjectInputFilter, class allowlists, or denylists during deserialization.

CM-6 Configuration Settings partial match

prevent

Establishes secure configuration settings for Camel JMS components, such as disabling the default mapJmsMessage option, to avoid triggering the vulnerable extractBodyFromJms code path.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via crafted JMS ObjectMessages on a network-accessible broker, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is…

enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Deeper analysisAI

CVE-2026-40860 is a critical deserialization vulnerability (CWE-502) in Apache Camel's JMS-related components, including camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, and camel-activemq6. The flaw resides in the JmsBinding.extractBodyFromJms() method in camel-jms and equivalent classes in the other components, which deserialize payloads from incoming JMS ObjectMessages using javax.jms.ObjectMessage.getObject() without any ObjectInputFilter, class allowlist, or class denylist. This code path is invoked by default when the mapJmsMessage option is enabled (the default setting) and Camel operates as a JMS consumer. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0.

An attacker who can publish a crafted ObjectMessage to a queue or topic consumed by a vulnerable Camel application can trigger remote code execution if a deserialization gadget chain is present on the application's classpath. Exploitation requires no authentication or user interaction, with network access to the JMS broker, and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Apache Camel security advisory recommends upgrading to version 4.20.0, which resolves the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.7, while those on 4.18.x should upgrade to 4.18.2. Further details are provided in the official advisory at https://camel.apache.org/security/CVE-2026-40860.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/04/26/10.

Details

CWE(s): CWE-502

Affected Products

apache

camel

4.19.0 · 3.0.0 — 4.14.7 · 4.15.0 — 4.18.2

CVEs Like This One

CVE-2026-25747Same product: Apache Camel

CVE-2026-40473Same product: Apache Camel

CVE-2026-33454Same product: Apache Camel

CVE-2026-40858Same product: Apache Camel

CVE-2026-27172Same product: Apache Camel

CVE-2025-27636Same product: Apache Camel

CVE-2026-40048Same product: Apache Camel

CVE-2026-23552Same product: Apache Camel

CVE-2026-33453Same product: Apache Camel

CVE-2026-40022Same product: Apache Camel

References

https://camel.apache.org/security/CVE-2026-40860.html
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/26/10
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108