Description
Deserialization of Untrusted Data vulnerability in Apache Camel.

The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.
Published: 2026-07-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Apache Camel’s camel-vertx-http component allows deserialization of untrusted Java objects received in HTTP responses. When the producer endpoint is set with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default true, a 5xx backend response bearing the application/x-java-serialized-object content type is deserialized with no class restrictions. This gives an attacker the ability to craft a malicious serialized payload and, if a compatible gadget chain is present on the server classpath, execute arbitrary code on the Camel host. The flaw falls under CWE‑502 – Deserialization of Untrusted Data.

Affected Systems

Apache Camel 4.0.0 up to (but not including) 4.14.8, 4.15.0 up to (but not including) 4.18.3, and 4.19.0 up to (but not including) 4.20.0 are affected. Users running any of these vulnerable releases are at risk.

Risk and Exploitability

The attack path requires the attacker to control the backend system that the Camel producer communicates with, or to position a man‑in‑the‑middle on an unencrypted HTTP connection, and to supply a crafted Java object that will be deserialized. Because the flaw is only reachable when transferException or allowJavaSerializedObject is enabled and the default exception handling is active, it is not an arbitrary vulnerability; it demands precise configuration. Despite its high impact (remote code execution), the EPSS score is reported as less than 1 % and the issue is not yet listed in CISA’s KEV catalog, indicating that the likelihood of exploitation in the wild is currently low. Nonetheless, the potential damage warrants prompt remediation.

Generated by OpenCVE AI on July 7, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to 4.20.0; if deployed on the 4.14.x LTS stream, upgrade to 4.14.8; if on the 4.18.x stream, upgrade to 4.18.3.
  • Disable the transferException=true or allowJavaSerializedObject=true options on producers that connect to untrusted or network‑reachable backends.
  • Ensure producer connections use TLS (HTTPS) so that a response cannot be substituted by a man‑in‑the‑middle; if TLS cannot be used, set an explicit jdk.serialFilter allow‑list (for example java.;org.apache.camel.;!*) to constrain deserialization.

Generated by OpenCVE AI on July 7, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.
Title Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled
Weaknesses CWE-502
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:48:16.623Z

Reserved: 2026-04-15T12:20:24.037Z

Link: CVE-2026-40859

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:02.059Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-06T07:54:29Z

Links: CVE-2026-40859 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T18:00:06Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data