Vulnerability DatabaseCVE-2026-40473
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-40473
Published:April 27, 2026
Updated:May 18, 2026
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Affected Packages
https://github.com/apache/camel.git (GITHUB):
Affected version(s) >=camel-3.0.0 <camel-4.14.6
Fix Suggestion:
Update to version camel-4.14.6
https://github.com/apache/camel.git (GITHUB):
Affected version(s) >=camel-4.15.0 <camel-4.18.2
Fix Suggestion:
Update to version camel-4.18.2
https://github.com/apache/camel.git (GITHUB):
Affected version(s) =camel-4.19.0 <camel-4.20.0
Fix Suggestion:
Update to version camel-4.20.0
org.apache.camel:camel-mina (JAVA):
Affected version(s) >=4.15.0 <4.18.2
Fix Suggestion:
Update to version 4.18.2
org.apache.camel:camel-mina (JAVA):
Affected version(s) >=3.0.0 <4.14.6
Fix Suggestion:
Update to version 4.14.6
org.apache.camel:camel-mina (JAVA):
Affected version(s) =4.19.0 <4.20.0
Fix Suggestion:
Update to version 4.20.0
Related Resources (11)
http://www.openwall.com/lists/oss-security/2026/04/26/8
https://github.com/apache/camel/pull/22583
https://github.com/apache/camel
https://github.com/apache/camel/pull/22584
https://github.com/apache/camel/commit/c35b0a3720f8c80025b06112d5d9c2932426d7f0
https://github.com/apache/camel/commit/b605816d11c253d22989abc290c198be83e3f817
https://nvd.nist.gov/vuln/detail/CVE-2026-40473
https://issues.apache.org/jira/browse/CAMEL-23319
https://github.com/apache/camel/commit/8e7f6335d2b4b096df26f8221723405ceaee275a
https://camel.apache.org/security/CVE-2026-40473.html
https://github.com/apache/camel/pull/22585
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502
EPSS
Base Score:
0.12