Cyber Posture

CVE-2026-40473

High

Published: 27 April 2026

Published
27 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class)…

more

or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the deserialization vulnerability in camel-mina by requiring timely patching to fixed Apache Camel versions that apply ObjectInputFilter and class-loading restrictions.

SI-10 Information Input Validation good match
prevent

Mandates validation of network inputs like IoBuffers prior to conversion to ObjectInputStream, preventing exploitation via crafted serialized objects lacking proper filtering.

SC-7 Boundary Protection partial match
prevent

Enforces network boundary protections to limit remote access to vulnerable TCP/UDP MINA consumer ports, reducing the attack surface for network-based deserialization attacks.

Security SummaryAI

CVE-2026-40473 is a deserialization vulnerability (CWE-502) in the camel-mina component of Apache Camel. The MinaConverter.toObjectInput(IoBuffer) method wraps an IoBuffer in a java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. This affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0, specifically when a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, such as via getBody(ObjectInput.class) or @Body ObjectInput.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) by sending a crafted serialized Java object to the MINA consumer port. The vulnerability has low complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U), earning a CVSS v3.1 base score of 8.8. Successful exploitation triggers arbitrary code execution in the context of the application during the readObject() process.

The Apache Camel security advisory recommends upgrading to version 4.20.0 to fix the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.2. Additional details are available in the official advisory at https://camel.apache.org/security/CVE-2026-40473.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/04/26/8.

Details

CWE(s)
CWE-502

Affected Products

apache
camel
4.19.0 · 3.0.0 — 4.14.6 · 4.15.0 — 4.18.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-40473 is a network-accessible deserialization vulnerability in a public-facing Apache Camel Mina TCP/UDP consumer, enabling remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References