CVE-2026-27172 - Vulnerability Details

- Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store

Description

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs.

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1.

Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.

Published: 2026-04-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ConsulRegistry component in Apache Camel reads Java‑serialized objects directly from a Consul KV store and forwards the data to ObjectInputStream.readObject() without applying an ObjectInputFilter. This allows an attacker who can inject a malicious serialized object into the store to have it automatically deserialized during a Camel lookup, resulting in arbitrary code execution within the Camel process. The vulnerability is categorized as CWE‑502, unsafe deserialization, which can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Apache Camel’s camel‑consul component is affected. The flaw exists in versions 3.0.0 up to 4.18.x before the corresponding patch releases: all 3.x and 4.0‑4.14.x prior to 4.14.6 and 4.15.0‑4.18.x prior to 4.18.1.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% indicates a low current likelihood of exploitation. The vulnerability is not listed in CISA KEV, showing no widespread public exploitation yet. An attacker needs the ability to write to the Consul KV store that backs the Camel ConsulRegistry; with that privilege the attacker can insert a crafted serialized payload that will be executed automatically the next time Camel performs a lookup.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Camel

unaffected

Version	Status	Constraints
`3.0.0`	affected	< 4.14.6
`4.15.0`	affected	< 4.18.1

Configuration 1 [-]

OR	cpe:2.3:a:apache:camel::::::::
	cpe:2.3:a:apache:camel::::::::

No data.

Vendor Product Confidence Versions

Apache

Camel

95%

Version	Status	Scheme	Platform
`[3.0.0,4.14.6)`	affected	semver	—
`[4.15.0,4.18.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Camel to the latest patched version: v4.19.0 for new installations, 4.14.6 for the 4.14.x LTS line, or 4.18.1 for the 4.18.x releases.
Restrict write permissions on the Consul KV store that backs the ConsulRegistry to trusted principals only, preventing unauthorized injection of serialized data.
Audit the contents of the KV store for existing serialized objects, removing any suspicious or unknown entries and, if feasible, apply additional input filtering in the application to validate or reject unexpected object types.

Generated by OpenCVE AI on April 28, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5rc6-9qfp-8vwg	Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00271.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://camel.apache.org/security/CVE-2026-27172.html

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:camel::::::::

Tue, 28 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache camel
Vendors & Products		Apache Apache camel

Mon, 27 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Mon, 27 Apr 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.
Title		Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store
Weaknesses		CWE-502
References		https://camel.apache.org/security/CVE-2026-27172.html

Subscriptions

Apache Camel

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-27T09:59:45.503Z

Updated: 2026-04-28T12:47:43.867Z

Reserved: 2026-02-18T14:18:10.063Z

Link: CVE-2026-27172

Vulnrichment

Updated: 2026-04-27T17:40:00.924Z

NVD

Status : Analyzed

Published: 2026-04-27T11:16:01.650

Modified: 2026-04-28T19:40:52.880

Link: CVE-2026-27172

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object