Apache Camel camel-mina ObjIn type conv flaw before 4.20.0
CVE-2026-40473 Published on April 27, 2026
Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject().
This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Vulnerability Analysis
CVE-2026-40473 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-40473 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2026-40473
Want to know whenever a new CVE is published for Apache Camel? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Camel Mina:- Version 3.0.0 and below 4.14.6 is affected.
- Version 4.15.0 and below 4.18.2 is affected.
- Version 4.19.0 and below 4.20.0 is affected.