Description
A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

The vulnerability is an unsafe deserialization flaw in Camel‑infinispan’s ProtoStream remote aggregation repository that allows a remote attacker with low privileges to send crafted data and gain arbitrary code execution. The flaw can compromise the confidentiality, integrity, and availability of the affected system, giving the attacker full control.

Affected Systems

Affected products include Red Hat Fuse 7, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat build of Apache Camel 4 for Quarkus 3, and Red Hat build of Apache Camel for Spring Boot 4. Specific version details are not provided in the advisory.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity of remote code execution. EPSS data are not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, via network‑based communication with the Camel‑infinispan component, where an attacker sends maliciously crafted serialized data to trigger the flaw.

Generated by OpenCVE AI on April 22, 2026 at 19:23 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat security patch for the affected Camel‑infinispan component as released in the vendor’s errata.
  • If a patch is not yet available, upgrade to a product release that contains the fix for unsafe deserialization.
  • Disable or remove the ProtoStream remote aggregation repository in Camel configuration to eliminate the vulnerable interface.
  • Enforce strict user permissions and network segmentation to limit exposure of the Camel services.
  • Monitor logs for deserialization attempts and configure intrusion detection rules against the CVE.
  • Apply the official Red Hat workaround as provided in the advisory, noting that it may not meet all deployment criteria.

Generated by OpenCVE AI on April 22, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.
Title Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization
First Time appeared Redhat
Redhat camel Quarkus
Redhat camel Spring Boot
Redhat jboss Enterprise Application Platform
Redhat jboss Fuse
Redhat jbosseapxp
Weaknesses CWE-502
CPEs cpe:/a:redhat:camel_quarkus:3
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat camel Quarkus
Redhat camel Spring Boot
Redhat jboss Enterprise Application Platform
Redhat jboss Fuse
Redhat jbosseapxp
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Camel Quarkus Camel Spring Boot Jboss Enterprise Application Platform Jboss Fuse Jbosseapxp
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-23T14:37:24.441Z

Reserved: 2026-04-22T12:43:14.958Z

Link: CVE-2026-6857

cve-icon Vulnrichment

Updated: 2026-04-22T13:34:22.726Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T13:16:22.583

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6857

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-6857 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses