-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - --- title: "Apache Camel Security Advisory - CVE-2026-40473" date: 2026-04-24T09:00:00+02:00 url: /security/CVE-2026-40473.html draft: false type: security-advisory cve: CVE-2026-40473 severity: Medium summary: "Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP" description: "The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject()." mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2." credit: "This issue was discovered by Venkatraman Kumar from Securin" affected: "From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0." fixed: 4.14.6, 4.18.2 and 4.20.0 - --- The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23319 refers to the various commits that resolved the issue, and have more details. This follows the same hardening pattern applied in CAMEL-23297 (camel-netty), CAMEL-23321 (camel-jms), and CAMEL-23322 (camel-infinispan), and matches the class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmnrMiQACgkQ406fOAL/ QQAm5gf9EVk98npgzdZLftTDg5VmMcsaBVOQWgC1BpDcwlcA40G3m5V45CpX+hV7 BvVicrIcJ2WeLGv8XeuFlZYkkasMVoe2Lc5tKaLCFIogY7fc7+QnEBtbT0RPqmPP RAwG35k+Uip0SEDSQWE+FDFZUk9QF7G9cskcCr9nZutYb+/8msXb7QOjwF5EYj39 P8Hktd4m2uaR1XcbIMe26i90MqMfcGngDjSjwlkZ1gu91E4vLF0an6NSkGZIWq84 4fLXb/EQwHVFUb1Hmf6OTuIwIgKcVmxiqCskXqGImf9Rpn76Gca2VhOC7n9n3vna GdaQT7QWDo1U9pyNAZ0iK02Zsh6muQ== =r+2d -----END PGP SIGNATURE-----