{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-40858","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2026-04-15T12:16:41.226Z","datePublished":"2026-04-27T09:38:55.466Z","dateUpdated":"2026-06-30T03:16:55.179Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2","defaultStatus":"unaffected","packageName":"org.apache.camel:camel-infinispan","product":"Apache Camel","vendor":"Apache Software Foundation","versions":[{"lessThan":"4.14.7","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"4.18.2","status":"affected","version":"4.15.0","versionType":"semver"},{"lessThan":"4.20.0","status":"affected","version":"4.19.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Feng Ning from Innora Pte. Ltd."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.</p><p>This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.</p><p>Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.</p><p>The JIRA ticket: <a target=\"_blank\" rel=\"nofollow\" href=\"https://issues.apache.org/jira/browse/CAMEL-23322\">https://issues.apache.org/jira/browse/CAMEL-23322</a> refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.<br></p>"}],"value":"The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.\n\nThe JIRA ticket:  https://issues.apache.org/jira/browse/CAMEL-23322  refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"CWE-502 Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-04-27T09:38:55.466Z"},"references":[{"tags":["vendor-advisory"],"url":"https://camel.apache.org/security/CVE-2026-40858.html"}],"source":{"defect":["CAMEL-23322"],"discovery":"EXTERNAL"},"title":"Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":8.8,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-27T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-40858"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-28T03:55:36.092Z"}},{"affected":[{"cpes":["cpe:/a:redhat:apache_camel_quarkus:3.33"],"defaultStatus":"affected","product":"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_spring_boot:4.18"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"unaffected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"datePublic":"2026-04-27T09:38:55.466Z","descriptions":[{"lang":"en","value":"A flaw was found in the camel-infinispan component of Apache Camel. A remote attacker, with the ability to write to the Infinispan cache, can inject a specially crafted serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitrary code execution within the application. This vulnerability stems from the component's use of java.io.ObjectInputStream without proper input filtering."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-40858"},{"name":"RHBZ#2463179","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463179"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40858.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22453"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17668"}],"solutions":[{"lang":"en","value":"RHSA-2026:22453: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"},{"lang":"en","value":"RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14"}],"timeline":[{"lang":"en","time":"2026-04-27T10:01:35.538Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-27T09:38:55.466Z","value":"Made public."}],"title":"org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T03:16:55.179Z"}}]}}