CVE-2026-40860
Published: 27 April 2026
Description
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is…
more
enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by requiring timely patching and upgrading of affected Apache Camel versions as recommended in the advisory.
Prevents remote code execution by enforcing validation of untrusted JMS ObjectMessage inputs using ObjectInputFilter, class allowlists, or denylists during deserialization.
Establishes secure configuration settings for Camel JMS components, such as disabling the default mapJmsMessage option, to avoid triggering the vulnerable extractBodyFromJms code path.
Security SummaryAI
CVE-2026-40860 is a critical deserialization vulnerability (CWE-502) in Apache Camel's JMS-related components, including camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, and camel-activemq6. The flaw resides in the JmsBinding.extractBodyFromJms() method in camel-jms and equivalent classes in the other components, which deserialize payloads from incoming JMS ObjectMessages using javax.jms.ObjectMessage.getObject() without any ObjectInputFilter, class allowlist, or class denylist. This code path is invoked by default when the mapJmsMessage option is enabled (the default setting) and Camel operates as a JMS consumer. The vulnerability affects Apache Camel versions from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0.
An attacker who can publish a crafted ObjectMessage to a queue or topic consumed by a vulnerable Camel application can trigger remote code execution if a deserialization gadget chain is present on the application's classpath. Exploitation requires no authentication or user interaction, with network access to the JMS broker, and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The Apache Camel security advisory recommends upgrading to version 4.20.0, which resolves the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.7, while those on 4.18.x should upgrade to 4.18.2. Further details are provided in the official advisory at https://camel.apache.org/security/CVE-2026-40860.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/04/26/10.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via crafted JMS ObjectMessages on a network-accessible broker, directly enabling exploitation of a public-facing application.