# Apache Camel Security Advisory: CVE-2026-40473 ## Vulnerability Overview - **Severity**: Medium - **Summary**: An insecure deserialization vulnerability exists in the `MinaConverter.toObjectInput()` method of the Camel-Mina component, which can be triggered via TCP/UDP. - **Description**: - The `MinaConverter.toObjectInput()` type converter wraps an `IoBuffer` into a `java.io.ObjectInputStream` without applying any `ObjectInputFilter` or class loading restrictions. - When a Camel route uses `camel-mina` as a TCP or UDP consumer and requests conversion to `ObjectInput` (e.g., via `getBody(ObjectInput.class)` or `@Body ObjectInput`), an attacker can send a specially crafted serialized Java object to the MINA consumer port over the network, thereby triggering arbitrary code execution during `readObject()`. ## Impact Scope - **Affected Versions**: - 3.0.0 to 4.14.6 (excluding 4.14.6) - 4.15.0 to 4.18.2 (excluding 4.18.2) - 4.19.0 to 4.20.0 (excluding 4.20.0) ## Remediation - **Fixed Versions**: 4.14.6, 4.18.2, 4.20.0 - **Mitigation Recommendations**: - Upgrade to 4.20.0 is recommended. - If using the 4.14.x LTS release stream, upgrade to 4.14.6. - If using the 4.18.x release stream, upgrade to 4.18.2. ## Additional Information - **Notes**: - JIRA ticket: [CAMEL-23331](https://issues.apache.org/jira/browse/CAMEL-23331) - This fix follows the same hardening pattern as CAMEL-23297, CAMEL-23321, CAMEL-23322. - Belongs to the same class of vulnerabilities as CVE-2024-22369, CVE-2024-23114, CVE-2026-25747. - **Credit**: Discovered by Venkatraman Kumar. - **References**: - PGP-signed advisory data: [CVE-2026-40473.txt.asc](https://www.apache.org/dist/camel/SECURITY-CVE-2026-40473.txt.asc) - Mitre CVE entry: [https://www.cve.org/CVERecord?id=CVE-2026-40473](https://www.cve.org/CVERecord?id=CVE-2026-40473)