CVE-2026-27172
Published: 27 April 2026
Description
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store…
more
backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by requiring timely application of vendor patches to upgrade vulnerable Apache Camel versions.
Mandates input validation and filtering on data read from the Consul KV store, blocking malicious serialized Java objects before deserialization.
Enforces least privilege to restrict write access to the Consul KV store, preventing attackers from injecting malicious serialized objects.
Security SummaryAI
CVE-2026-27172 is a deserialization vulnerability in the ConsulRegistry class (specifically its inner ConsulRegistryUtils.deserialize method) within the camel-consul component of Apache Camel. The flaw occurs because the component reads Java-serialized values from a Consul KV store and passes them directly to ObjectInputStream.readObject() without an ObjectInputFilter, enabling gadget chain exploitation. It affects Apache Camel versions from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502.
An attacker with write access to the Consul KV store backing a Camel ConsulRegistry instance can inject a malicious serialized Java object. The next time Camel performs a registry lookup, the object is deserialized, resulting in arbitrary code execution within the Camel process. This issue resembles vulnerabilities previously addressed in CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747 but was overlooked in their remediations.
The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-27172.html recommends upgrading to version 4.19.0 to resolve the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.1.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability enables remote code execution via malicious serialized objects written to the Consul KV store (PR:L, AV:N), directly facilitating exploitation of remote services (T1210) and potential privilege escalation through gadget chains (T1068).