# Apache Camel Security Advisory: CVE-2026-40858 ## Vulnerability Overview - **Severity**: High - **Summary**: An insecure deserialization vulnerability exists in the Camel-Infinispan component. - **Description**: The remote aggregation repository based on ProtoStream uses `java.io.ObjectInputStream` for deserialization when reading data from a remote Infinispan cache, without applying any `ObjectInputFilter`. If an attacker can write data to the Infinispan cache used by the Camel application, they can inject malicious serialized Java objects. When these objects are read during normal aggregation repository operations (such as `get` or `recover`), it results in arbitrary code execution within the application context. ## Affected Versions - **Affected Versions**: - 4.0.0 to 4.14.7 (exclusive) - 4.15.0 to 4.18.2 (exclusive) - 4.19.0 to 4.20.0 (exclusive) ## Remediation - **Fixed Versions**: 4.14.7, 4.18.2, 4.20.0 - **Mitigation**: - Users are advised to upgrade to version **4.20.0**. - If using the 4.14.x LTS release branch, it is recommended to upgrade to **4.14.7**. - If using the 4.18.x release branch, it is recommended to upgrade to **4.18.2**. ## Additional Information - **Discoverer**: Feng Ning (from Innora Pte. Ltd.) - **References**: - JIRA Ticket: https://issues.apache.org/jira/browse/CAMEL-23322 - PGP signed advisory data: CVE-2026-40858.txt.asc - Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-40858