CVE-2026-40860

Name of the Vulnerable Software and Affected Versions Apache Camel versions 3.0.0 through 4.14.6 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.x

Description The extractBodyFromJms() function in camel-jms and the JmsBinding class in camel-sjms deserialize the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without using an ObjectInputFilter, class allowlist, or class denylist. This occurs when the mapJmsMessage option is enabled and the application acts as a JMS consumer. An attacker could publish a crafted ObjectMessage to a queue or topic to achieve remote code execution if a deserialization gadget chain is present on the classpath. This issue also affects camel-sjms2, camel-amqp, camel-activemq, and camel-activemq6.

Recommendations Upgrade to version 4.14.7 for those on the 4.14.x LTS releases stream. Upgrade to version 4.18.2 for those on the 4.18.x releases stream. Upgrade to version 4.20.0 for all other affected versions.