Description
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Published: 2026-04-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The Apache Camel Mina component contains an unsafe deserialization flaw in MinaConverter.toObjectInput(IoBuffer), which wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class‑loading restrictions. When a Camel route consumes a MINA stream and requests conversion to ObjectInput, the unfiltered ObjectInputStream deserializes a maliciously crafted Java object, potentially executing arbitrary code during readObject(). This vulnerability is classified as CWE-502 and can compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects Apache Software Foundation’s Apache Camel Mina product. All Camel releases from 3.0.0 up to but not including 4.14.6, from 4.15.0 up to but not including 4.18.2, and from 4.19.0 up to but not including 4.20.0 are impacted. Users on the 4.14.x LTS branches before 4.14.6 and on the 4.18.x releases before 4.18.2 are also affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% reflects a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can reach the vulnerable component via a TCP or UDP consumer port exposed to the network, send a crafted serialized payload, and trigger code execution with no additional prerequisites. The attack can be performed remotely against any publicly reachable or locally accessible consumer ports.

Generated by OpenCVE AI on April 28, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel Mina to version 4.20.0, which includes the deserialization patch.
  • If the system is on the 4.14.x LTS branch, upgrade to 4.14.6; if on the 4.18.x releases, upgrade to 4.18.2.
  • Temporarily disable the Camel route that consumes Mina streams or block inbound traffic on the vulnerable port until a patch is applied.
  • Implement network segmentation or host‑based firewall rules to limit access to the MINA consumer port, reducing the attack surface while the upgrade is pending.

Generated by OpenCVE AI on April 28, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpr3-2659-rw55 Camel-MINA Vulnerable to Deserialization of Untrusted Data
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Title Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
Weaknesses CWE-502
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-29T03:55:34.353Z

Reserved: 2026-04-13T16:02:12.368Z

Link: CVE-2026-40473

cve-icon Vulnrichment

Updated: 2026-04-27T07:52:13.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T09:16:01.640

Modified: 2026-04-28T19:43:05.663

Link: CVE-2026-40473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses