-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - --- title: "Apache Camel Security Advisory - CVE-2026-40473" date: 2026-04-24T09:00:00+02:00 url: /security/CVE-2026-40473.html draft: false type: security-advisory cve: CVE-2026-40473 severity: MEDIUM summary: "Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP" description: "The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject()." mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2." credit: "This issue was discovered by Venkatraman Kumar from Securin" affected: "From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0." fixed: 4.14.6, 4.18.2 and 4.20.0 - --- The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23319 refers to the various commits that resolved the issue, and have more details. This follows the same hardening pattern applied in CAMEL-23297 (camel-netty), CAMEL-23321 (camel-jms), and CAMEL-23322 (camel-infinispan), and matches the class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmn69J0ACgkQ406fOAL/ QQDeIwf/aKlnBJWdxnTtd2ttygDGiBQIneXbZhFEmqi9pe0iE9SZyOq6DJR2lJTs nS1FqHsl8yzzM6SbH2mbWCHTfEi2pBZVpG7cTdvb4JL1MM0iN6z3Kj01pzCDXi5c lK5fRpp6Z3g6sknFjGtExYu0Tyut+oykgEXJwj/D88UhrZChMWGjZFBxmqdGhpgV i9GwNecYPlpK4wq2JS8r97mUr1MowrYg0djXrk8qqa/nE3tdCgGpgKeJmWx+llHy v39G7sZzkTARvGmPzGOOz1XR5jExWCYX78XJGS0r/7lX8ZgksU/U39DYPgh82a5n Szad7cdiciey72RVTRj88NmZoThbZw== =Zd6k -----END PGP SIGNATURE-----