Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-40860 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-27 |
| Vendor | Apache Software Foundation |
| Product | Apache Camel |
| CVSS Score | 9.8 (critical) |
| EPSS Score | 0.3% (percentile: 53%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application can achieve remote code execution (RCE) through deserialization of a malicious Java object.
Required Actions
Update Apache Camel to a patched version immediately. Until the patch is deployed, consider disabling the mapJmsMessage option (where the application allows) or restricting access to JMS brokers to trusted senders only. Introduce an ObjectInputFilter at the JVM or application class level to limit the set of classes that can be deserialized from JMS. Review logs for unusual ObjectMessage payloads from unexpected sources.
Who Is Affected?
This vulnerability affects Apache Camel by Apache Software Foundation. Check whether your organization uses Apache Camel as a JMS consumer (camel-jms or camel-sjms) and update the installation to a patched version without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
