# Apache Camel Security Advisory: CVE-2026-40860 ## Vulnerability Overview Apache Camel contains an insecure JMS deserialization vulnerability. When the `mapJmsMessage` option is enabled (enabled by default) and Camel acts as a JMS consumer, an attacker can achieve remote code execution (RCE) by publishing a specially crafted `ObjectMessage` to a queue or topic. Affected components include: - `camel-jms` - `camel-sjms` (using the `JmsBinding` class) - `camel-sjms2` (inheriting from `SjmsEndpoint`) - `camel-amqp` (inheriting from `JmsBinding`) - Other components based on `JmsComponent` (e.g., `camel-activemq`, `camel-activemq6`) ## Impact Scope - `camel-jms`: 3.0.0 to 4.14.7 (exclusive) - `camel-sjms`: 4.15.0 to 4.18.2 (exclusive) - `camel-sjms2`: 4.19.0 to 4.20.0 (exclusive) ## Remediation It is recommended to upgrade to the following versions: - 4.14.7 - 4.18.2 - 4.20.0 Specific upgrade paths: - 4.14.x LTS users → upgrade to 4.20.0 - 4.18.x release stream users → upgrade to 4.18.2 ## References - JIRA Ticket: [CAMEL-23321](https://issues.apache.org/jira/browse/CAMEL-23321) - PGP Signed Advisory: [CVE-2026-40860.txt.asc](CVE-2026-40860.txt.asc) - Mitre CVE Entry: [https://www.cve.org/CVERecord?id=CVE-2026-40860](https://www.cve.org/CVERecord?id=CVE-2026-40860) ## Discoverer Venkatraman Kumar from Securin