CVE-2026-40473

Name of the Vulnerable Software and Affected Versions Apache Camel versions 3.0.0 through 4.14.5 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.9

Description The camel-mina component contains a flaw in the MinaConverter.toObjectInput(IoBuffer) function where it wraps an IoBuffer in a java.io.ObjectInputStream without implementing an ObjectInputFilter or class-loading restrictions. When a Camel route utilizes camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (such as through getBody(ObjectInput.class) or @Body ObjectInput), a remote attacker can send a crafted serialized Java object to the MINA consumer port. This can lead to arbitrary code execution within the application context during the readObject() process due to unsafe deserialization.

Recommendations Upgrade to version 4.14.6 for those on the 4.14.x LTS releases stream. Upgrade to version 4.18.2 for those on the 4.18.x releases stream. Upgrade to version 4.20.0 for all other affected versions.