CVE-2026-40860 - Vulnerability Analysis

Overview

Apache Camel 3.0.0 < 4.14.7, 4.15.0 < 4.18.2, and 4.19.0 < 4.20.0 contain a remote code execution vulnerability caused by unsafe deserialization of JMS ObjectMessage payloads without applying ObjectInputFilter or class allowlist/denylist, letting attackers publish crafted ObjectMessages to achieve remote code execution, exploit requires attacker to publish crafted JMS messages to a consumed queue or topic.

Severity & Score

Impact

Attackers can execute arbitrary code remotely by sending crafted JMS ObjectMessages to Camel consumers, potentially compromising the entire system.

Mitigation

Upgrade to Apache Camel 4.20.0, or 4.14.7 for 4.14.x LTS, or 4.18.2 for 4.18.x releases.

References

• http://www.openwall.com/lists/oss-security/2026/04/26/10
• https://camel.apache.org/security/CVE-2026-40860.html

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 27, 2026

🔴 CVE-2026-40860 - Critical (9.8) JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class al... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40860/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner